Vulnerability traces back to Netgear's Genie application

A security researcher has discovered a vulnerability in several wireless routers made by Netgear that could give an attacker unauthenticated access, both locally and remotely. The vulnerability relates to a service that communicates with Netgear's Genie software, an accompanying program that provides a desktop (or mobile) dashboard so you can easily manage and monitor your router's settings and activity.
Peter Adkins, the researcher who discovered the vulnerability, says the embedded SOAP service appears at first glance to be filtered, but is easily manipulated.
"HTTP requests with a 'SOAPAction' header set but without a session identifier will yield a HTTP 401 error. However, a HTTP request with a blank form and a 'SOAPAction' header is sufficient to execute certain requests and query information from the device," Adkins explains.
Since the SOAP services is implemented by the built-in HPPT / CGI daemon, it's possible for unauthenticated queries to be answered over the web, though only if remote management is enabled. If so, a "well placed HTTP query" is all that's required to interrogate and hijack an affected router, Adkins says.
When Adkins contacted Netgear about the vulnerability, he was advised to email the company's support team, which he did. However, Netgear downplayed the issue and ultimately closed the support ticket, adding that there are built-in security issues that should keep the network secure.
Adkins says he's confirmed the bug exists in Negtear's WNDR3700v4 (firmware v1.0.0.4SH and v1.0.1.52), WNR2200 (v1.0.1.88), and WNR2500 (v1.0.0.24). He also believes (but has not yet confirmed) it exists in at least four other models, including the WNDR3800, WNDRMAC, WPN824N, and WNDR4700.
Follow Paul on Google+, Twitter, and Facebook


More...