Slashdot Mirror
Vulnerability In Linksys Cable/DSL Router
ispcay writes "Yahoo has published an article on a Linksys vulnerability. An easily exploitable software vulnerability in a common home networking router by Linksys Group could expose thousands of home users to denial of service attacks, according to a security advisory issued by iDefense, a software security company." The article's kinda sparse on details, but does mention that the vulnerability is fixed in the latest firmware release. Upgrade 'em if ya got 'em!
after everyone who knows what they are doing flashes their firmware, 99.9% of routers will remain vulnerable...
I hold a patent on sigs...
check Popular Linksys Router Vulnerable to Attack
on eWeek also
According to the article, if you have remote management turned off, then people out on the internet can't use the exploit against you.
I am sure not a single hacker out there is going to investigate if Hillary Rosen has upgraded her software, and if they did so, it would only be to test her system, due to concern for her security and to warn her of possible problems.
---
When you come to a fork in the road, take it! --Yogi Berra--
It's a 4 port home router - who's going to wage a DOS attack on a piddly $50 home router? And even if they did - just reset the darn thing. No big deal. I would only get the patch if this problem happened repeatedly.
Or am I missing something?
From the e-week article, all you have to do is disable remote admin, which is the default setting, which you should have confirmed anyhow. Duh.
No firmware flashing needed.
political_news.c: warning: comparison is always true due to limited range of data type
While I agree that the vast majority of home users will either lack the technical expertise or poise to flash the firmware, these are the people who will plug in the router and forget it, which means remote management won't be turned on so the attack won't be possible (unless the user opens up a telnet or SSH port for NAT pass-thru.
--CTH
--Got Lists? | Top 95 Star Wars Line
http://www.linksys.com/download/default.asp
While I have a linksys router, this still does not concern me. All I have to do, is unplug it, and plug it back in. Net' access restored. I don't know of any home users who need 100% uptime internet access. I suppose there are some work at home people who might need it. But personally, I have enough problems with AT&T cables fluctuating speeds then I would with my router crashing.
This only affects you if your router has 'remote management' enabled. Since so few people need this, and those that do are more technically minded, this shouldn't be much an issue. The worst this flaw can cause anyways is for the router to crash. The software in there sucks. My linksys crashes if it can't find a dhcp server, that a simple cgi script error crashes it is nothing new to me.
Photos.
It looks like in order to cause the crash you have have remote management enabled. Why on earth you would allow your router to be configured from outside on the internet boggles my mind. I would assume that this feature would be disabled by default, but then again who knows. I've owned a few cheap routers before and in order to use remote management you had to be connecting from an internal ip address, along with not coming through the wan port.
Just my 2 cents.
Devices like linksys suffered from a much larger security problem. IGNORANCE! Highspeed access in the home has broght about a whole new type of internet user. The type that doesn't log off. Lets be honest, many of us are lazy. We know what we are doing but still lazy. Then there is the other group, not lazy, but they don't know what they are doing. The security issues that go along with Mulitple machines, always connected to the internet without ANY protection (Node firewalls like norton internet security for example or virus protection, i don't need to give an example of that) far exceed any "NEW" issues that may now exist becuase of a flaw in this product. Education!!! Plain and simple will reduce any threat that this flaw or any other would exacerbate.
Here is the location of the Linksys BEFSR41 firmware upgrade utility v1.43 released Sept 4, 2002. Its the newest one I could find.
I have one of these, and the remote administration isn't enabled by default.
So for Aunt Tilly, there's no real danger unless the malicious person is on the network.
Anyone remember the Bud Ice commercials? "...I REPEAT! THAT CALL WAS PLACED FROM INSIDE THE HOUSE!!"
I upgraded by BESFR11 and it used the same firmware update as the *41 (4 port switch model) so its pretty safe to assume this version is vulnerable as well.
The firmware updates can be had here:
http://www.linksys.com/download/firmware.asp
Unless you've got your router setup to allow you to configure it remotely (ie: on the cablemodem side of the network; aka, while you're at your friends house). If you've done this, odds are this problem is the least of your concerns.
And there's already a firmware fix for it, should you be concerned that any script kiddies living in your house will want to hose their connection to the outside world...
Firstly, my router (SMC, not linksys) crashes on it's own every now and then.
It's consumer grade gear, people are probably used to turning them off and back on again anyway. And it's not like the main computer is affected.
Secondly, the attack has to originate on the inside network. It's not like the script kiddiz can take out these box en masse by blasting out a load a packets. Once you visit a malicious site - if there even is a real one - you'll soon learn not to go there again.
When will the media realize that not all DoS attacks are DDoS? DDoS is when the attacker gets a bunch of machines to all send data to the target machine, causing the target to run out of resources to handle all connections, swallowing the legit traffic in the process.
"Normal" DoS is what this is - crashing the target. For example, an old flaw in Wu-FTPD allowed a core dump - crashing the deamon and creating a DoS to anyone who needs it. All it took was a malformed request during a session. One machine required, not many.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Wierd or what...
I've spent this evening trying to sort out why the router goes belly-up after using eDonkey for a while. The problem started a week ago, but since then the occurences were more regular. I just upgraded the firmware an hour ago!!!
I have the BEFSR411 and found a decent forum link with the same problem... and there is another link of info/problems here.
I suppose it goes without saying that updating the firmware is a good idea... at least there are more improvements to the web-config interface. I'll just have to see how long the connection stays up.
Are you local? There's nothing for you here!
But this majority also won't go into the advanced options of their Linksys to turn on Remote Management and make it vulnerable to this attack.
Omnia vestra castrorum habetur nobis.
I hate Linksys. I have that router, and it kept crashing on me. Changed the cable, everything, etc. Nothing. Even thought it was the cable modem for a while (would lose net access, but I finally found out the router wouldn't accept internal pings either). They sent me a new one (made ME pay for shipping), and it did the same thing. Tried all firmware versions, nothing.
Well, guess what. When you fire a bunch of UDP packets at it, the NAT routing table overflows and the router crashes (it happens faster if you have your DMZ host address set to a nonexistent address on the network), only to reboot itself in a few minutes. This has been tested and proven, but Linksys' response to me is "it's your software firewall, sir, you shouldn't run both at the same time." What a bunch of ignorant assholes. I informed them of the routing table overflow bug, but they ignored me.
Now, this bug shouldn't really affect anybody cause you really shouldn't run remote admin on your router, but with their shoddy firmware, it doesn't surprise me in the bit!
If anyone hears reports of the '41 being subject to ME or XP attacks, please post. For now...well... I've never been afraid of a couple of backslashes or a c:\.
- If we aren't supposed to eat animals, then why are they made out of meat? - Steven Wright
I have a WAP-11 and it would freeze everytime I'd transfer at "high" speed. Upgrading the firmware solved the problem. Now about range, I've seen a Cisco WAP suck even more (15" range indoor) and somehow resetting all default (which we didn't change) made it work. Seems like all this Wi-Fi equipment is still a bit experimental...
Opus: the Swiss army knife of audio codec
The following showed up on the NetStumbler site yesterday:
- GlobalSunTech develops Wireless Access Points for OEM customers like Linksys, D-Link and others. Capturing the traffic of a WISECOM GL2422AP-0T during the setup phase showed a security problem.
-
- WISECOM GL2422AP-0T
- D-Link DWL-900AP+ B1 version 2.1 and 2.2
- ALLOY GL-2422AP-S
- EUSSO GL2422-AP
- LINKSYS WAP11 v2.2
(And I just got a WAP11, dammit.)Sending a broadcast packet to UDP port 27155 containing the string "gstsearch" causes the accesspoint to return wep keys, mac filter and admin password. This happens on the WLAN Side and on the LAN Side.
Systems Affected:
Vulnerable, tested, OEM Version from GlobalSunTech:
Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
In other news, JWZ's DNA Lounge is having troubles with their Linksys WAP11-based wireless link, which is their only connectivity right now.
- "...the best sustained throughput they can handle is on the order of 64k."
Ouch.(They lost their T1 due to XO's bankrupcy and above.net closing a facility. Another T1 is on the way, but it'll be a couple weeks...)
"...America's great minds of today, teaching America's great minds of tomorrow. Poor bastards." -- A Beautiful Min
This boggles my mind:
The 4-port DSL router (vulnerable) is using firmware 1.40something, and must be upgraded. The latest is 1.43.
The 8-port model, which is what I have, and which is exactly the same damn thing (same functionality, same interface, almost the same user manual) except that it's a few inches wider and has 4 more ports, uses firmware 2.something. And is apparently not vulnerable.
Providing another 4 ports (one extra bit?) requires the firmware to be that different?
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Yes.
Nah, dude. I've had a BEFSR41 for almost two years now, and it has been nothing but rock-solid. Zero complaints on this unit. Of course, nmap identifies it as "trivial" but it's just a home box, more than adequate for keeping the casual s'kiddie off my back :)
political_news.c: warning: comparison is always true due to limited range of data type
What a lame report! The sparse on details is that the remote management feature is not enabled by default. Well, doh!, if I turn on remote management someone can get in and affect my system (particularly if I don't change the password). Imagine that!
I'm an American. I love this country and the freedoms that we used to have.
http://www.linksys.com/download/
How could the "not really have much of an OS" if it runs an HTTP server?
Here is a mailing list archive or yet another redundant reference of this problem. It's almost a year old. Come on slashdotters, don't get sloppy in the deluge huh?
What you're all forgetting is, this is only an issue if you have remote management enabled, and it's not enabled by default...
(Seriously, does anyone read a thread before they post anymore?)
I'm glad they posted this. Eventually I'll go over to my mom's house and upgrade her firmware. I can't really see her crashing her own router... well, not on purpose, anyway. She might by accident trying to go to Yahoo! (which is what she calls whatever browser she happens to be using, unless it's AOL. No, not net savvy.)
Don't you wish your girlfriend was a geek like me?
LinkSys only offers a specialized Windows firmware upgrading tool. The router itself has a Java applet that it supposed to work, but didn't for me in Mozilla 1.2b or IE 5.2.2. A friend directed me here. It has instructions on how to upgrade the firmware in Mac OS 9/X using their specialized tool. I worked for me.
It doesn't take much to implement a TCP/IP stack, apparently. Check out a matchhead-sized web server. http://www-ccs.cs.umass.edu/~shri/iPic.html
In one firmware update last year, the "WAN UPDATE" setting was defaulted to yes. This would enable anyone to connect to a linksys router and update the configuration to their hearts content, or write a script to scan through an IP range and automate it.
= tp c&s=50009562&f=469092836&m=5300962863
I reported this to linksys, they quickly gave me another firmware update, but other users reported the same thing.
http://arstechnica.infopop.net/OpenTopic/page?a
fslg503-985-8686503-985-8686503-985-8686503-985-8
Linksys firmware since February 2002 has been reasonably decent. Early versions would crash about once a day in normal operation.
It's not all the urgent for me, since however idiotic I might be, I made doubly sure when I set the thing up that remote management was disabled. Imagine all the "http://admin:admin@address/" attempts there'd be otherwise.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
Yes, there's a DoS possibility in the Linksys routers. It's fixed in the 1.43 firmware release. Anyone who reads the Linksys forum at DSL Reports has known about this for weeks!
I saw this happening on my router about three weeks ago... lights freaking out blinking... in other words a lot of traffic going through... Hit the good ole netstat -n and the spoofed IP adds were from get this... IANA.org What a sense of humor! Went through a bout of paranoia updated all my hardware firmware and other crap... Called Comcast told them about the DoS attack... of course they didn't care...
Still a great piece of hardware.
I think this is the first or one of the first times we hear of one of these small router/NAT devices having vulnerabilities. This one is not very serious as it will only crash the device rather than allow someone to gain access to the network, but both this and other devices may have holes that would allow hackers to gain access to home LANs.
This could be a serious problem in the coming future with these small routers/NATers being combined with wireless APs for everyone to use AIM from the couch. Great and all but people wiht these things are probably going to bother even less with security than they do now, thereby introducing a whole host of nastly little attacks.
This should be interesting to watch for.
The default Linksys in the article has 4 ports, true, but they can actually support 254 clients if you connect them to a switch. Furthermore, the BEFSR11 is a one-port, designed to be connected to a switch or hub, and has proven very popular in labs of anywhere from 10-30 workstations, although it can actually support up to 254 clients. Consequently, there are those out there who may get a sick kick out of kicking schools, non-profit organizations and other institutions offline.
The BEFSR11 is truly cool. $50 gets you a box that barely draws any power and routes requests quite nicely for 254 machines and functions as a DHCP server to boot. Practically maintenance free. Most of mine already have upgraded firmware, but you can bet that I - and several other admins who oversee non-profit and educational sites - will be busy checking firmware versions for a while.
I have 2 WAP 11's bridging a T1 line over 1600 feet. They've worked perfectly for over 6 months and have never been rebooted or reset. Paid for themselves a couple times over. Consistent 1.4Mbps all the time. Sorry about your problems.
"Eve of Destruction", it's not just for old hippies anymore...
I had an early post in this thread pointing out the popularity of this router in non-profit and educational settings to run labs - since this router is vulnerable to this attack from the inside or outside, (outside only if remote management is enabled), it should still be patched - because even if remote mgt is disabled some idiot delinquent on the inside can bring down the whole facility just by cutting & pasting into the URL of their browser if they are behind the router. I support several labs that have people silly enough to do just that for kicks.
I just bought an SMC Barricade and I'm pretty happy with it... it has stateful packet inspection and a few other nice features.
You're using her as bait, Master!
Sending a certain string over a certain UDP port will cause the AP to return the WEP key, mac filter settings, and admin password over the WLAN and LAN side.
Exploit can be found here
Makes me glad to have bought an Apple Airport for a change.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
If you've seen slapper in action, you know this is true. A host behind the router gets infected by the slapper.* worm, and first thing it does (after building itself a new home) is start probing subnets for others. It finds friends, they talk, and much traffic ensues.
The Linksys can stand maybe 6, maybe 10 hours of that much UDP traffic before it reboots. Since the traffic is still coming in when it comes back up, it runs about a 10% chance (guestimate) of restarting successfully. It hangs otherwise. Power cycling restores functionality, and resets the inevitable cycle.
I don't think it's a fault of Linksys. They have a product aimed at a certain market; judging from its popularity it does quite well there. If you have special needs beyond the average SOHO user, you need either an SDK or another vendor.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
The third reason is that Block WAN Request is enabled by default. This is how these routers make themselves invisible to the web: they just drop the packets that come from outside. This can be combined with opening a specific port (forwarding), in which case the traffic on that port is directed to a SPECIFIC machine on the LAN.
The Lazy Way to deal with this is to turn remote management off. If you have no problems, leave it alone until you have some other reason to flash it.
BTW, the last firmware upgrade on the "41" works great with WinXP UPnP. Fairly easy to set up safely (update Windows), and it lets me put my dad behind NAT and still fix his system remotely using XP Remote Assistance. It actually works, much to my amazement, and AFAIK, there are no serious vulnerabilities if it's done right.
1.43 seems to still have a bug where the uPnP forwarding page doesn't load properly. Linksys' "fix" for BEFSR41 v1 owners is to load the FORMER version of firmware which doesn't have uPnP which is apparently susceptible to this vulnerability. (Note: I have remote management turned off, please don't waste time trying to hax0r me.)
As a result I am never buying another linksys firewall product nor am I suggesting them for others. I'm hoping that someone will bring out a mini itx with dual ethernet soon so I can cheaply build a very small linux-based replacement for my linksys box. (IE, which runs off a small power supply.) I have a 2 gig laptop disk just sitting waiting...
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If I can't see under the hood (who says I'll understand everything I'll see though), I tend not to trust things like this, esp. when it comes to security. My good ol' linux router on a P90 suits me just fine and I can do so much more with it. I don't see me owning one of these ever, so I don't have to worry. :)
I own this product, so have decided to upgrade the firmware. Since I'm running Debian, I clicked the "Other Operating Systems" link on the firmware download page, only to be presented with a ZIP archive containing a Windows executable! Is this some kind of sick joke?
If you own this router and you own IE 5 or above, please visit this upgrade page, substituting the IP of your modem for 192.168.1.1 [Default].
Well mine worked find too until my ISP switched to a more heavily portscanned netblock. Hence the UDP port scans.
While these "DSL routers" and other various "consumer grade" networking products have popped up like dandelions in spring, so have the problems.
;-)
My first venture into the fray was with an XSense (formerly MacSense) Xrouter. It was their variation on the "cable router" scene, for what is really more properly named a NAT box. It seemed to handle the fileserver well and port mapping was working fine. For their credit I'd also like to say they have some of the most impressive event logging I have ever seen, even recognizing attacks and identifying them by name. Then I tried to run a traceroute to an outside point to see how hop times were looking. Nothing.
"Maybe it's filtering my packets?" I think, and try to connec to its web administration page, but no response. Oops, my clients just lost connection to the servers they were attached to. And look, all the users are dropping off my server. What the...? It turns out that any attempt to traceroute out causes the router to reboot. It continues to reboot until you stop the traceroute, and then takes several seconds to unscramble its eggs before you get connectivity back.
I called up XSense and asked them what was going on, and if they had a firmware flash for me to fix it. Surprise, he reminds me that they did indeed ship their own traceroute program with the router, and I should use that. I run it, and surely enough, no crash. Tried every other traceroute app I could find, and every single one crashed the router except theirs.
The words known issue float through my head. I bickered a bit with the rep about how NO app I (or any of my users!!!) runs should be able to crash my NAT. End result, they don't care. Got off the phone with them and called up the vendor, they're like "here, let me get you the manufacturer's support number". "Nope, they told me tough luck they know about it and they don't care." "Oh... let me get you an RMA."
I actually ended up exchanging it for an Asante FR4003, which has worked flawlessly ever since. It gets a bit warm, so I keep it elevated so the metal bottom plate gets some convection. (it really should have some ventillation slots) And they've updated their firmware twice now, once both times including suggestions for improvements that I sent them. Very solid product. Interesting people answering their tech support though, I got a bit agitated one time when I was doing something stupid and got a big argumentative with them... that's the only time I've ever had a customer support rep tell me to "shut the hell up and listen for a minute!" but maybe that's what I needed to hear at the time...
I work for the Department of Redundancy Department.
I mean christ, their webpage is falling apart, sure Addtron routers may not be as flashy as Netgear or Linksys brandwise, but damn, it can't be *that* hard or *that* costly to maintain a site well enough to get the firmware updates that people need.
At least there are brand's that try to take care of their customer's concerns. Yeah i know a homebrew linux router would do the trick, but i paid good money for this router and they give me an unusable site for support in return.
A Penny for my thoughts? Here's my two cents. I got ripped off!
Actually you CAN upgrade one from Linux. Remove the password and then use tftp. Their mutant Windows tftp has been modified to send the password, which isn't part of the TFTP protocol. But if the password is null the normal tftp works just fine. I have upgraded mine (I have the BEFW1S4 with the wireless included) twice in the approx two years I have owned it and I don't do Windows.
Democrat delenda est
I used PPPoE with a Linksys & BellSouth DSL for better than a year without any problems. What's your bitch with it? And DSL != PPPoE. I'm now of DirectvDSL and they are a super clean pipe. While I have to use their router to get my static IP, while waiting for it to arrive I had an Alcatel Speedtouch Pro in dumb bridge mode doing plain vanilla DHCP on the Linksys. Just depends who you get service from.
Democrat delenda est
OK, I know I'll be shunned for this...but...
Over the years I've had several Linksys and Netgear routers fail. I got tired of that and decided to try something new. Since I wanted good UPNP support I grabbed one of the new Microsoft routers. I'm not sure who actually makes them, but I figured they had good keyboards and mice, right?
The router is VERY nice. The interface is the best of the bunch, by far. While the Linksys never showed up as a UPNP device on my network (even with upgraded firmware and UPNP enabled) the MS router did. It also has a very simple setup procedure for a new user so they could get a whole network going in a few minutes with no confusion. I've also read that their wireless NAT routers will NOT let you run without WEP enabled and it makes it real easy to enable it. It rights the key to a floppy that can be put in the client workstations to get WEP going.
I haven't checked since Spring 2000, but Win95, Win98, and WinNT4 were all "trivial" as well, at the time.
And yeah, I've used the BEFSR41 for two+ years now, and it's been rock solid for me, as well. There is (or at least was) one problem where you could slip traffic into the inside network even though the firewall should have rejected it, but I'm pretty sure that's been fixed by now. Besides, you'd have to know the IP assigned to the interior machine to actually get traffic to it using this technique (which is why mine's not setup to use the default DHCP scheme).
Xentax
You shouldn't verb words.
Ooh. I've always wanted an opportunity to do this, particularly when it's so well deserved.
RTFM
political_news.c: warning: comparison is always true due to limited range of data type
In a related, underpublicized story, Linksys's WET11, which has been getting a lot of buzz as a cheap wireless ethernet bridge, has a firmware flaw which allows a DoS. LinkSys has been slow to come out with a fix.
What.....like this:
--an unbreakable toy is useful for breaking other toys--
It's impossible to overflow the NAT table with UDP packets on a few sessions. The NAT table keeps one entry per session, not one entry per packet. If I make a connection to a server and get a stream of a trillion UDP packets, that's one entry in the NAT table used to map the session. You would need to sustain 520 sessions to fill up the NAT table.
They say that the router has a 512KB memory buffer, but I'd assume they meant to say that it has 512KB of memory. Most of that memory is probably filled by the OS and settings. I wonder how much memory is actually devoted to the NAT table.
It also CORRUPTS data within the network. I was running apache on my system and when i accessed it with loopback (or from any other computer on the network), the pages would come back garbled in some way half the time. It did this for people outside the network too on early versions of firmware, but they fixed the outside problem. I guess they didnt bother to check inside. When I plugged the system straight into the modem, problems disappeared.
After getting no support (box says '24/7'...I tried 8 times for a total of 16 hours worth of being put on hold) and no returned emails, I kicked this piece of shit to the curb and bought a Netgear.
Havent had a problem since. Spend the extra $20 and buy a netgear.
-
Maybe they had a bad run of the things early on? I got mine a few months after they first appeared (March 2000 i think was the original firmware date) It wouldnt surprise me if they cut corners to keep them $20 under competitors.
-
Ok, I admit. I did post my opinion, which is based upon experience both with the router in question, and several NAT boxes I've setup using old peecees and iptables. I base my statement on security on the returns I get when I nmap one of my NAT boxes versus the linky router I use at home. Five million versus fourteen (not thousand or million, just 14). And yes, I do patch all of the hardware I have to take care of. :)
So, opinion, yes, based on experience, yes as well. One side issue: It's a hell of a lot harder for a student to walk out of a lab unnoticed with a 486 (assuming that student would even want to do so which seems unlikely to me) versus slipping a BESFR41 into his backpack. So there's that layer of security as well... although that same student would probably swipe the switch now that I think of it
political_news.c: warning: comparison is always true due to limited range of data type
A similar problem exists on the D-Link DI-704P router/firewall. Essentially, any http request not formated exactly as the router expects causes the router to stop handling packets for several minutes. I reported this bug to D-Link, but was told the problem does not exist, despite the fact that other people were able to recreate the problem! KDE Bug #40538 has the details as the konquer browser triggers the problem.
Come test your mettle in the world of Alter Aeon!
Granted, there doesn't appear to be anything of real value there now, but that may change now that OpenNIC is available to every Linksys customer out there.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
Space & noise. And set up. And redundancy. We already use Linux servers to provide DNS & file sharing. I suppose we could just pile it all on one Linux box, but if we did that, the Linux server is just one more single point of failure. We use jet directs, too, and we could run that off the Linux server if we wanted to...but if the server crashes, we still have Internet & printing, if the Linksys crashes, a simple line change on the server activates DHCP and we're still up internally, although we have no Internet...you get the picture. Short version, we're on a budget and we don't want a pile of power-hungry computers when a litte Linksys does what we want to, and quite nicely. And, in a pinch, we could always fire up the proxy functions of the server. Hasn't happened yet, though. We've had server hard drives die, but we've never had a Linksys fail in the lab - although one or two have been DOA.