A security flaw affecting several Netgear Wi-Fi router models can be exploited to gain access to various pieces of information, including the administrator password, a researcher has warned.
According to Peter Adkins, the vulnerability has been successfully reproduced on Netgear WNDR3700v4, WNDR3700v2, WNDR3700v1 WNR2200 and WNR2500. The flaw could also impact Netgear WNDR3800, WNDRMAC, WPN824N, WNDR4700 and possibly other models.
The issue is related to a Simple Object Access Protocol (SOAP) service that is embedded in some Netgear devices for use with Netgear Genie, an application that allows users to monitor and control their home network from a PC, Mac, smartphone or tablet. Genie can be used to view and configure WLAN credentials and SSIDs, connected clients, and parental controls.
“At first glance, this service appears to be filtered and authenticated; HTTP requests with a `SOAPAction` header set but without a session identifier will yield a HTTP 401 error. However, a HTTP request with a blank form and a `SOAPAction` header is sufficient to execute certain requests and query information from the device,” Adkins explained.
“As this SOAP service is implemented by the built-in HTTP / CGI daemon, unauthenticated queries will also be answered over the internet if remote management has been enabled on the device. As a result, affected devices can be interrogated and hijacked with as little as a well placed HTTP query,” he added.
The researcher has published technical details and a proof-of-concept which demonstrates how an attacker could leverage the vulnerability to obtain the administrator password, WLAN details, the device’s serial number, and information on the clients connected to the router.
Netgear was notified in mid-January through the company’s support channel. However, the support ticket was closed at the end of January without any action being taken. The Mitre Corporation, the organization in charge of Common Vulnerabilities and Exposures (CVE) identifiers, has also been notified, but a CVE has not yet been assigned to this issue.
“Netgear takes customer security seriously,” Netgear told SecurityWeek in an emailed statement. “As we investigate this alleged security vulnerability, we encourage our customers to make sure Wi-Fi security is turned on (this is the default setting on our routers & gateways) to prevent unauthorized devices from joining your network and to be sure remote management is turned off (this is also off by default) to prevent unauthorized devices from accessing your network from the WAN.”
Adkins also advises users to disable remote/WAN management on affected routers, and ensure that only trusted devices are allowed to access the local network.
It’s not uncommon for researchers to identify security issues in routers. Last year, vulnerabilities were found in devices from Asus, Belkin, Netis, and Cisco. In December, Check Point reported identifying a flaw that affected millions of small office and home (SOHO) routers.
