Media reports say that the security flaw was discovered by a security researcher, called d4rkn3ss, at the Vietnamese government's national telecoms provider. This researcher passed the information on to the Trend Micro Zero Day Initiative (ZDI) and they contacted Netgear in January 2020 to warn them about the problem. According to a story in The Register Netgear agreed to a deadline of June 15 to release any necessary security updates. ZDI agreed not to make the problem public until the same date.

This is a common practice as it allows manufacturers and software publishers plenty of time to get updates and patches released before the criminals and hackers have discovered the flaw and started to exploit it. Netgear had more than four months to get updates released and as they had agreed to the deadline they should have been able to do just this.

However, at the end of May Netgear asked ZDI for an extension to the end of June but this was rejected by ZDI. Up to that point Netgear had not released a single patch for the flaw and ZDI, and others, knew that for the people using the affected devices time was rapidly running out. As more time passes with a security vulnerability the chances of it being discovered by others also increases.

This was demonstrated when another security research team, Grimm, discovered the same flaw in a number of Netgear devices. They also privately reported the issue to Netgear in May 2020. It should have been very obvious to Netgear that the vulnerabilities were being discovered and that they needed fixing urgently. Yet Netgear had only published fixes for two of the affected devices when the June deadline had passed and both ZDI and Grimm had gone public on the vulnerability.

I realise that the whole world has been impacted by Covid-19 but this cannot be used as an excuse for the abject failure to publish fixes for a security flaw that Netgear knew about for at least five months.

By the end of June 2020 Netgear had issued patches for 28 of the 79 vulnerable devices so some progress had been made. By the end of July 2020 Netgear had issued a notice about the status of the fixes for the affected devices. You can find the notice here:

https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders

The web page shows two different status messages under the Fix Status column. It shows that 34 of the devices listed now have a Hotfix release available. The remaining 45 devices are listed as ‘None; outside security support period’. This means that there are not going to be any fixes for these devices and users will need to replace them or risk having the flaw exploited.

Here is a list of all the Netgear devices that are not going to be fixed:

• AC1450
• D6300
• DGN2200v1
• DGN2200M
• DGND3700v1
• LG2200D
• MBM621
• MBR1200
• MBR1515
• MBR1516
• MBR624GU
• MBRN3000
• MVBR1210C
• R4500
• R6200
• R6200v2
• R6300v1
• R7300DST
• WGR614v10
• WGR614v8
• WGR614v9
• WGT624v4
• WN2500RP
• WN2500RPv2
• WN3000RP
• WN3000RPv2
• WN3000RPv3
• WN3100RP
• WN3100RPv2
• WN3500RP
• WNCE3001
• WNCE3001v2
• WNDR3300v1
• WNDR3300v2
• WNDR3400v1
• WNDR3400v2
• WNDR3400v3
• WNDR3700v3
• WNDR4000
• WNDR4500
• WNDR4500v2
• WNR3500v1
• WNR3500Lv1
• WNR3500v2
• WNR834Bv2

If you own or use any of the devices in the list above you should seriously be considering replacing the device.

I do fully understand that there is a commercial decision that Netgear has to make if it wants to remain a profitable business. Developing software fixes costs money and the people using these devices won’t be expecting to pay for the fixes. Netgear, like all others in the same position, has to decide at what point it stops supporting products it has already sold.

The problem for you and me is that the vast majority of manufacturers and software publishers don’t tell us how long any product will be supported for. In this case the suggestion is that at least some of these Netgear devices are not many years old.

There is also another problem that troubles me. How many users of these vulnerable devices will know that they have a security flaw or that a fix for some of them is available?

All of these devices are aimed at the home user, the Small Office or Home Office (SOHO) user and small businesses. These are the users most likely to not be able to stay updated on the various security flaws that their devices may have. They also tend to be the users who keep IT equipment in service long after it should have been replaced.

If you have any Netgear devices make sure that you check their advisory notice to see if your device(s) are affected by this vulnerability. If you have any of the devices listed above please contact me for advice.

If you know anyone else who has Netgear devices please make them aware of the Netgear advisory notice, or this blog page, so they can check the status of their kit.

The next time you are buying any IT hardware or software you would do well to ask how long it will be supported before you part with any money. Don’t expect to get a straight answer as I don’t think many manufacturers or publishers know or want to answer questions like this but at least you will have asked.

You can also ask me for help or advice before you make a purchase. I like a lot of the equipment sold by Netgear and own some myself but this has made me a lot more cautious about recommending or using their products. It may do the same for you.