The manufacturer NETGEAR has issued an urgent notice for all owners of professional VPN and firewall routers, the affected models are the BR200 and BR500, two models widely used by small and medium-sized businesses as they have advanced configuration options. The manufacturer has declared that due to technical limitations beyond its control, they will not be able to correct these critical security vulnerabilities, that is, the manufacturer leaves all its clients completely stranded and invites them to buy another model of professional router to replace it as soon as possible. before, because the security of the company is at risk. Next, we are going to explain everything related to this serious case.
Security flaws in the BR200 and BR500
At RedesZone we were one of the first media outlets to have the opportunity to test the NETGEAR BR500, a professional router with a very complete firmware, which also allows management from the cloud with NETGEAR Insight. This router model acts as a VPN for companies, allows clients to be connected in remote access mode, and also allows VPN tunnels to be established between different offices to intercommunicate them. The BR200 and BR500 have a powerful firewall that is highly configurable, in addition, we can segment the local network into VLANs to add a layer of security to the professional local network.
Now the manufacturer NETGEAR has published an advisory and has sent an email to all customers and users of this router, warning that they are aware of critical security vulnerabilities affecting two of their business routers. That there are vulnerabilities in professional products is something “normal”, and it is that all manufacturers such as Cisco, Ubiquiti and many others have suffered from these security flaws, however, what is not normal is that the manufacturer indicates the following:
- «Due to technical limitations beyond our control, we are unable to correct these vulnerabilities.«
It is very worrying that a manufacturer like NETGEAR cannot correct this error, and more so that it is in a professional router that is used by thousands of companies spread all over the world. You can see the full email below:
The vendor tells us that to be exploited, this vulnerability requires a computer managing the router to visit a malicious website, and click the link while having the router’s GUI open. Although it may seem like a lot of requirements, a well-designed phishing attack could do both simultaneously to exploit the vulnerability in the router and take full control of the device.
The most striking thing is that the manufacturer NETGEAR offers absolutely no patch to solve the problem, the only thing it recommends is the following:
- Isolate the local network using VLANs.
- Use MAC-based access control lists.
- Make sure that the PC that enters the graphical user interface is properly protected, to avoid exploiting the vulnerability in the router.
- Do not visit any malicious or suspicious website, avoid Phishing.
- Close all browser tabs except the router graphical interface.
- Make sure that we have logged out of the router.
That is, basic security recommendations that do not solve the problem at all.
NETGEAR offers you discounts for you to buy another router
The manufacturer has indicated that all recent buyers of the BR200 and BR500 models will send them a free replacement router, those who already have more time will give them a 50% discount. Next, you have all the conditions:
- If you have purchased the router after May 19, 2021, you will be given the SXR30 model (Orbi Pro WiFi Mini AX1800). A model valued at 110 euros, when the BR500 model cost approximately 300 euros.
- If you have bought the BR200 or BR500 before May 19, 2021, they will give you a 50% discount on the SXR30 model, that is, they will give you €50 to spend another €60 on buying a model that is not from the professional range .
To request these discounts you have to send an email to email@example.com with the serial number data, purchase invoice and your personal data.
The solution that NETGEAR provides with these routers is complete nonsense, and surely in the US there are lawsuits against the manufacturer for all this. Not only are they going to leave all their customers stranded, but they are going to give them a router (to those who bought it before 1 year) that clearly does not have the same characteristics as the BR500, and that is simply not good for the use it is it was given to professional models.
If you are affected by this security flaw, stop using your routers as soon as possible, and buy a professional model like the D-Link DSR-1000AC that we have analyzed in RedesZone, a pfSense operating system or OPNsense to protect and manage your company’s network.