NetGear Also Has Remote Access Wide Open 215
Glenn Fleishman writes "On the heels of Linksys's WRT54G problem of not allowing remote access to be disabled in certain cases and firmware, BugTraq published this report that NetGear's WG602 access point has a hidden password that provides remote and local administrative control. Unlike Linksys's, where turning the firewall on (which is on by default, but a researcher found new units in which it was off when taken out of the box), the NetGear hole cannot be disabled. The backdoor seems to have been created by the vendor that packaged the device for NetGear."
Fixed in new firmware, available here: (Score:5, Informative)
How very timely... (Score:1, Informative)
I initially went for it because my experience with their wired products has been good. A swift rethink would seem to be required.
Re:huh? (Score:4, Informative)
Re:One wonders what the internal policies are ... (Score:4, Informative)
Re:Possibilities. (Score:2, Informative)
Netgear WG302 (Score:4, Informative)
linked properly for the lazy (Score:5, Informative)
Re:Fixed in new firmware, available here: (Score:3, Informative)
Bug Fixes
Fixed: Lost connections during heavy traffic
Improved system reliability under heavy traffic
Fixed illegal user access the WEB configuration utility.
Known Bugs and Feature Limitations
WPA is not supported.
Wireless Bridging and repeating functions are not supported. "
WGR614 (Score:4, Informative)
Re:Possibilities. (Score:5, Informative)
"The only way to clear the BIOS password is with a Master Reset Password provided by Dell for that Model No. and they will not give you the master unless you can give them the name. address and telephone of the registered owner. However the password is universal for all laps with the same model no., so if you know someone who is a registered owner, you can call Dell and get the master."
Reference [experts-exchange.com] here. That being said, the master for an Inspiron 5000 is BLVJCH. Booyah!
It's a feature, not a bug. (Score:5, Informative)
Personally I think the number of people using such browsers is probably so small that there is no justification for this "feature", but since Slashdot isn't likely to change, URLs should be submitted as proper links and not just plan text.
Re:It's a feature, not a bug. (Score:2, Informative)
Take my advice (Score:4, Informative)
WG602v2 with firmware 2.0rc5 (Score:4, Informative)
Whew!
Re:How very timely... (Score:4, Informative)
If 11Mbps is sufficient for your needs, you could by a 802.11b wireless card that uses the Prism 2.5 chipset. This chipset can function in hostAP mode. At home I use Netgear MA311 in an older Dell functioning as my wireless access point, internet gateway and firewall. Instead of WEP, I use IPSec, and only authorized IPSec traffic is allowed (and thus no leaching from my Kazaa loving neighbour).
You might need to flash the firmware, though, which you can find here [star-os.com].
If you want a secure, easy and hassle free gateway, just install OpenBSD [openbsd.org].
Re:Good grief... (Score:4, Informative)
Re:Packaged network boxes (Score:1, Informative)
You can change your NTP Server setting on this router with some of the more up to date firmwares. I'm using A2.4 and there is an option to set the NTP server of your choice under the "Schedule" Menu.
The Linksys problem was a false report (Score:4, Informative)
No, it wasn't... (Score:3, Informative)
They also have beta firmware up on that link you posted to fix the problem.
WAP54G also had SNMP issues in 1.08 (Score:2, Informative)
Re:they published the password? (Score:1, Informative)
Re:The problem of convinience (Score:4, Informative)
Smoothwall [smoothwall.org] is exactly that, a custom Linux distro with boot-from-cd install that only requires you to hit "enter" a couple dozen times to turn any old 2 nic pc into a pre-configured modern firewall with internal NAT and DHCP.
I use it and find it very handy (lots of old PC hardware about)
Re:they published the password? (Score:3, Informative)
Well, I used it to verify whether I was vulnerable. I was. I'm glad to observe it. I've downloaded the new firmware and hope to be safe. They couldn't contact me via registration card because I NEVER send in those things. They're just marketing gimmicks used as an opt-in.
Moreover, the script kiddies will manage to get this information whether or not it's publicly posted. This way, I have it as well as them.
Just my view.
Re:Fixed in new firmware, available here: (Score:5, Informative)
(You can find it yourselve by just taking similiar steps as in the securityfoces article.)
Re:The Linksys problem was a false report (Score:2, Informative)
No, I did not issue a statement admitting it was a false report. I said that a critical element did not show up in testing of newly purchased equipment.
And I am not sure how I feel about Mr. Seltzer's article. Especially his statement about trust. It is obvious that we should trust him over others because he is the author of the "Official" book on LinkSys. I do not, however, think that we should dismiss, or not trust, anything anyone has to say about security, regardless of stature. True, my announcement was not confirmed, and the more responsible in the Internet news community did indeed hold off on their reports while responses and discussions continued. Bravo.
LinkSys has "told" us by proxy of Mr. Seltzer that the units I got with the odd behaviors were customer returns. Well, I cannot speak for what LinkSys says -- they certainly did not say that to me. I do say that is pure conjecture, on both my and LinkSys' part, but it does make for a reasonable assumption concerning the three units used in later testing.
Just for information, there is no comment from LinkSys on this issue on its press release page http://www.linksys.com/press/press.asp , nor from Cisco http://newsroom.cisco.com/dlls/index.html
Even so, I still stand firmly by my original findings. Two older units *did* do this, even after a factory reset. Bad hardware? Pre-release firmware? Who knows. I saw what I saw. But it does go to prove one very important point: we should not be complacent about our perception of security. If you install Internet-facing equipment for clients, you are providing a great service to everyone if you port-scan the device. When you purchase Internet equipment, check the configurations and make sure it matches up to what you expect. Do not take your security for granted.
As an aside, Larry Seltzer, regardless of his credibility, is another journalist who has never contacted me for clarification or expanded information.
NOT fixed in new firmware! (Score:3, Informative)
Does Netgear really think the security community is that stupid? They should be ashamed.
NOT A PROBLEM (Score:3, Informative)
If you don't immediately check for upgrades when you open a box and haven't with this hardware, though, perhaps you deserve to get 0wn3d?