The vulnerability is found in the embedded SOAP service, which is a service that interacts with the Netgear Genie application that allows users to control their routers via their smartphones or computers.
Network engineer Peter Adkins said that at first glance, this service appears to be filtered and authenticated, but an HTTP request “with a blank form and a ‘SOAPAction’ header is sufficient to execute certain requests and query information from the device,” he explained in a post on the Full Disclosure mailing list.
As the SOAP service is implemented by the built-in HTTP / CGI daemon, unauthenticated queries will also be answered over the internet if remote management has been enabled on the device. As a result, affected devices can be interrogated and hijacked with as little as a well placed HTTP query, Adkins said.
If this is true then the vulnerability can be exploited both by attackers that have already gained access to the local network and by remote attackers.
All this applies to Netgear WNDR3700v4 – V18.104.22.168SH, Netgear WNDR3700v4 – V22.214.171.124, Netgear WNR2200 – V126.96.36.199 and Netgear WNR2500 – V188.8.131.52.
Netgear was told of the flaw and it replied that any network should still stay secure due to a number of built-in security features, said Adkins.
“Attempts to clarify the nature of this vulnerability with support were unsuccessful. This ticket has since been auto-closed while waiting for a follow up. A subsequent email sent to the Netgear ‘OpenSource’ contact has also gone unanswered.”