# Title: Netgear DGN2200, DGND3700 and WNDR4500 Multiple Information Disclosure Vulnerabilities
# Author: Mandar jadhav
# Vendor Homepage: https://www.netgear.com/
# CVE's : CVE-2016-5649, CVE-2016-5638
1. Admin password disclosure (CVE-2016-5649)
A vulnerability is in the 'BSW_cxttongr.htm' page which can allow a remote
attacker to access this page without any authentication. When processed, it
exposes adminas password in clear text before it gets redirected to
absw_vfysucc.cgia. An attacker can use this password to gain administrator
access of the targeted routeras web interface.
Affected Models:
Netgear DGN2200 running firmware version DGN2200-V1.0.0.50_7.0.50
Netgear DGND3700 running firmware version DGND3700-V1.0.0.17_1.0.17
Solution:
Netgear has released firmware version 1.0.0.52 for DGN2200 & 1.0.0.28 for
DGND3700 to address this issue
2. SSID & wireless key Disclosure (CVE-2016-5638)
There are few web pages associated with the genie app. Genie app adds some
capabilities over the Web GUI and can be accessed even when you are away
from home. A remote attacker can access genie_ping.htm or genie_ping2.htm
or genie_ping3.htm page without authentication. Once accessed, the page
will be redirected to the aCongratulations2.htma page, which reveals some
sensitive information such as 2.4GHz & 5GHz Wireless Network Name (SSID)
and Network Key (Password) in clear text.
Affected Models:
Netgear WNDR4500 running firmware version V1.0.1.40_1.0.68
Solution:
WNDR4500v1 has reached the End of Life so Netgear wonat be releasing any
updates for this.
## History
23.06.2016 - Initial contact to Netgear
24.06.2016 - Reported all details to Netgear
01.07.2016 - Email sent to Netgear asking for status update, no response
14.07.2016 - Email sent to Netgear asking for status update, no response
26.07.2016 - Netgear confirms findings
31.08.2016 - Email sent to Netgear asking for status update
02.09.2016 - Received reply from Netgear that they will be releasing a fix
for this
23.12.2016 - Netgear informs that vulnerability has been fixed in the new
version
Thanks,
Mandar