Flaw in Netgear Wi-Fi routers exposes admin password, WLAN details

A number of Netgear home wireless routers sport a vulnerability that can be misused by unauthenticated attackers to obtain the administrator password, device serial number, WLAN details, and various details regarding clients connected to the device, claims systems/network engineer Peter Adkins.

The vulnerability is found in the embedded SOAP service, which is a service that interacts with the Netgear Genie application that allows users to control (change WLAN credentials, SSIDs, parental control settings, etc.) their routers via their smartphones or computers.

“At first glance, this service appears to be filtered and authenticated; HTTP requests with a ‘SOAPAction’ header set but without a session identifier will yield a HTTP 401 error. However, a HTTP request with a blank form and a ‘SOAPAction’ header is sufficient to execute certain requests and query information from the device,” he explained in a post on the Full Disclosure mailing list.

“As this SOAP service is implemented by the built-in HTTP / CGI daemon, unauthenticated queries will also be answered over the internet if remote management has been enabled on the device. As a result, affected devices can be interrogated and hijacked with as little as a well placed HTTP query.”

The vulnerability can be exploited both by attackers that have already gained access to the local network and by remote attackers – if the affected devices have the remote/WAN management feature enabled.

Hardware and firmware confirmed affected:

  • Netgear WNDR3700v4 – V1.0.0.4SH
  • Netgear WNDR3700v4 – V1.0.1.52
  • Netgear WNR2200 – V1.0.1.88
  • Netgear WNR2500 – V1.0.0.24.

Check out his post for proof-of-concept code to test yours for the flaw.

“In the absence of a known security contact these issues were reported to Netgear support. The initial response from Netgear support was that despite these issues ‘the network should still stay secure’ due to a number of built-in security features,” says Adkins.

“Attempts to clarify the nature of this vulnerability with support were unsuccessful. This ticket has since been auto-closed while waiting for a follow up. A subsequent email sent to the Netgear ‘OpenSource’ contact has also gone unanswered.”