Netgear Nighthawk R6700 version 1.0.4.120 does not utilize secure communication methods to the SOAP interface. By default, all communication to/from the device's SOAP Interface (port 5000) is sent via HTTP, which causes potentially sensitive information (such as usernames and passwords) to be transmitted in cleartext
Netgear Nighthawk R6700 routers running firmware version 1.0.4.120 are vulnerable to a cleartext transmission of sensitive credentials due to the use of HTTP for SOAP interface communication. Attackers can easily intercept usernames and passwords, leading to complete device compromise and potential network access. This vulnerability poses a significant risk to home and small business networks.
Step 1: Network Reconnaissance: The attacker identifies a vulnerable Netgear Nighthawk R6700 router on the network or through remote scanning (if the router is exposed). They identify the open port 5000, which is used for the SOAP interface.
Step 2: Traffic Interception: The attacker sets up a packet sniffer (e.g., Wireshark, tcpdump) or uses a tool like mitmproxy to capture network traffic. This can be done passively (eavesdropping) or actively (MITM).
Step 3: SOAP Request/Response Monitoring: The attacker monitors traffic on port 5000, looking for SOAP requests and responses. These requests might be initiated by legitimate clients or by the attacker themselves.
Step 4: Credential Extraction: When a SOAP request containing credentials (e.g., username and password) is sent, the attacker captures the cleartext data. This includes the router's administrative credentials.
Step 5: Router Compromise: Using the captured credentials, the attacker can log in to the router's web interface or use the SOAP interface to execute commands, change settings, or gain full control of the device and potentially the network.
The vulnerability stems from the lack of encryption (HTTPS) for communication with the SOAP interface on port 5000. The router's firmware is designed to transmit sensitive data, including authentication credentials, over HTTP. This means that any network traffic between a client and the router's SOAP interface is sent in plain text. An attacker, positioned on the same network or able to intercept traffic, can easily capture this data using a packet sniffer like Wireshark or tcpdump. The root cause is a design flaw: the developers did not implement or enforce the use of secure communication (HTTPS) for the SOAP interface, leaving the data vulnerable to man-in-the-middle (MITM) attacks and passive eavesdropping. The specific function responsible for handling SOAP requests and responses lacks any form of encryption, allowing for the easy extraction of credentials. There is no authentication or authorization implemented for the SOAP interface.