The worst part is this isn't even just going to affect folks that would never think to update their router firmware. The firmware they <i>do</i> push out is frequently a massive downgrade.<p>About a year ago, I tried to update the firmware on my Netgear router. It was the exact model from the article, the R7000. I assumed "new update" for router firmware would involve some critical security updates, and maybe some stability fixes, but it basically rendered the router unusable. It would crash every few hours with normal usage. I googled around and turns out it was a known issue, the only recommended fix was "roll back to version x.x.x (2 versions prior). I found this fix months after it had been posted, and there had still been no new patch released to fix the issue.<p>When my relatives call me to fix their wifi, I now have to think twice about updating the firmware. These days I recommend the google wifi mesh router(s), because they just involve the least maintenance effort. They have less fine-tune controls and the wifi speed is slightly slower when you start approaching gigabit speeds (vs other high-end consumer routers), but it's definitely worth the trade off for me. Plus, anyone calling me to help with their wifi won't notice either of those things :)
I am sick of having to assume my network hardware is trivially compromised.<p>What will it take for me to be able to purchase a microkernel driven router/access-point with audited drivers (or Rust based)? I would settle for mediocre performance (ie no gigabit) if I could have some strong security guarantees.<p>Can I setup Redox or seL4 as home network hardware at this point? Or would the pain threshold still be quite high?
I noticed there's a gap in some of the affected lists. (Mainly the MediaTek/Ralink mipsel hardware) They don't appear to have the same httpd binary talked about here. (Instead they have a mini_httpd?)<p>They do appear however to be still very vulnerable to CVE-2020-8597 (no PIE or stack cookies, probably RWX stack) and for the one device I took a look at (R6700v2), the firmware image hasn't been updated since last September.<p>Oh well.
I've used Apple routers for many years, but since they've been discontinued I wonder what I'll do when I need to replace them. All the major alternatives seem to have crap software that requires frequent reboots and has security issues.<p>Can anyone recommend an awesome wireless router that works great off the shelf? I don't want to have to learn how to flash it with DD-WRT.
Treat these devices like PCs:<p>See the installed system as "example installation to demonstrate functioning". Like HP with the bundled Crapware on PCs.<p>Just install OpenWrt as soon as you did a basic function test. And only buy hardware you know to be compatible.
<p><pre><code> In SOHO devices like the R7000, the web server must parse user input
from the network and run complex CGI functions that use that input.
Furthermore, the web server is written in C and has had very little testing,
and thus it is often vulnerable to trivial memory corruption bugs.
</code></pre>
I wonder why these network equipment manufacturers are still using CGIs in their firmware?! Is it because the MCUs they use in their hardwares are too weak to run modern version of the linux with reasonable choices to build a custom compiled version of the web server in Rust not C?
I gave up on netgear long ago for access points. Been running stuff from <a href="https://mikrotik.com/" rel="nofollow">https://mikrotik.com/</a> since 2016. They are a bit dated in some areas, but they are cheap and I've never had any issues.
Reading stuff like this makes me glad I ditched consumer grade all-in-one stuff and went with a $REAL (feel free to substitute appropriate brand) router and stand alone AP.
Predictably, the web servers are an afterthought for branding so that users don't have to edit configuration files and operate at a command line.<p>(a) 99%+ of people buying these things do not know or care about security, aside from someone stealing their WiFi bandwidth (b) the manufacturer does not care because of (a).<p>As follows, all they care about (WRT to the web server) is that they are easy enough for non-technical people to setup such that they don't end up on a tech support call or returning the device for a refund. That is it.<p>If you are the 1% that cares about security on your home network, it is far less stressful to simply conclude these products are not for you and move on with your life. You should be looking at enterprise hardware, open source router firmware, or rolling your own.<p>In any case, what surprises me is that over time the router manufacturers haven't simply built up a single, relatively patched-up, web server implementation that they re-use. Even without aligned incentives, you would think over years and years of development they'd have something at least as good as what you can clone out from from github for free.
Why is this a big deal since you can exploit the vulnerability only when you are connected to the local network? (I've seen some of these exploits used to replace the installed firmware with openwrt)
<a href="https://github.com/grimm-co/NotQuite0DayFriday/blob/master/2020.06.15-netgear/notes.txt" rel="nofollow">https://github.com/grimm-co/NotQuite0DayFriday/blob/master/2...</a><p>>* R6300v2 version 1.0.3.6CH, 1.0.3.8, and 1.0.4.32<p>>* R6400 version 1.0.1.20, 1.0.1.36, and 1.0.1.44<p>>* R7000 versions 9.88, 9.64, 9.60, 9.42, 9.34, 9.18, 9.14, 9.12, 9.10, 9.6, and 8.34<p>Strange, my Netgear R6700 is not on the list. Does that mean it's unaffected, or they simply didn't have that model on hand to test against?