Vulnerability In Linksys Cable/DSL Router

ispcay writes "Yahoo has published an article on a Linksys vulnerability. An easily exploitable software vulnerability in a common home networking router by Linksys Group could expose thousands of home users to denial of service attacks, according to a security advisory issued by iDefense, a software security company." The article's kinda sparse on details, but does mention that the vulnerability is fixed in the latest firmware release. Upgrade 'em if ya got 'em!

Upgrade Firmware

[moertle]

after everyone who knows what they are doing flashes their firmware, 99.9% of routers will remain vulnerable...

Re:Upgrade Firmware

[Unknown+Relic]

While this is true, it's really not that big of a deal. The article states that for this attack to work from outside your internal network the remote management functionality needs to be turned on. I own a Linksys router and know for a fact that this feature is not enabled by default. Chances are that those knowledgible enough to require, and enable, remote management will be the same tiny percentage who will bother to update their firmware.

While the attack will still work from inside the local network regardless of the state of the remote management function, it's really not a danger. The worst that someone could really do is DOS themselves, and wouldn't that be a shame...

Re:Upgrade Firmware

[AmigaAvenger]

Did the same thing, and after digging through linksys's site, i found out there IS a way to correct it. (check the docs, basically you just toss a new firmware up to it even if it doesn't respond. The router portion is seperate from the switch, which seems to be able to flash it.)

Re:Upgrade Firmware

[eean]

Not really, considering that the .01% who know what they are doing don't have remote management turned on. Then there are the large majority of home users who went through the quick step guide and never accessed their router again, so have the default setting (remote management off). Those at risk are those who know enough to be dangerous.

I suppose there are a few people who have an actual reason to use remote management. These people need to update.

I'm not going to update my router - its functional, and secure. Since all your settings are erased on update, it would take more work then is worth it.

Re:Upgrade Firmware

[WhiteKnight07]

Actually I just flashed mine and it kept all my settings. Port forwarding, IP address, subnet mask, all of it. I feel I should mention that I was unable to flash the firmware from linux. Mozilla simply didn't upload the file containing newer firmware (I have no clue why) and when I tried to use Konqueror it got about halfway through the update process when the router reported a "pattern error" in the binary file and aborted the upgrade. So I booted to Win2k and ran their little update program and it flashed it just fine. Although I did have to turn off the Proxomitron.

some details on eweek

[didiken]

check Popular Linksys Router Vulnerable to Attack
on eWeek also

remote management

[budcub]

According to the article, if you have remote management turned off, then people out on the internet can't use the exploit against you.

Hillary Rosen

[CatWrangler]

I am sure not a single hacker out there is going to investigate if Hillary Rosen has upgraded her software, and if they did so, it would only be to test her system, due to concern for her security and to warn her of possible problems.

Re:Hillary Rosen

[Speare]

Actually, I think Hilary has a copy of one of my copyrighted files. Yeah, that's it. And she might be copying it to Ashcroft. Uh huh. And with the latest push towards allowing copyright owners to become vigilan^W self-reliant, then I (or any designated third party) can and should ensure that their machines are unable to propagate their nefarious activities.

Simple fix, not hard

[tulare]

From the e-week article, all you have to do is disable remote admin, which is the default setting, which you should have confirmed anyhow. Duh.
No firmware flashing needed.

Users would have to turn remote management on

[hillct]

While I agree that the vast majority of home users will either lack the technical expertise or poise to flash the firmware, these are the people who will plug in the router and forget it, which means remote management won't be turned on so the attack won't be possible (unless the user opens up a telnet or SSH port for NAT pass-thru.

--CTH

Find Relief Here

[footNipple]

This should get you on the path to recovery...this and a stiff shot of Black Bush:

http://www.linksys.com/download/default.asp

Hmmmm....

[El+Pollo+Loco]

While I have a linksys router, this still does not concern me. All I have to do, is unplug it, and plug it back in. Net' access restored. I don't know of any home users who need 100% uptime internet access. I suppose there are some work at home people who might need it. But personally, I have enough problems with AT&T cables fluctuating speeds then I would with my router crashing.

From what I see

[jchawk]

It looks like in order to cause the crash you have have remote management enabled. Why on earth you would allow your router to be configured from outside on the internet boggles my mind. I would assume that this feature would be disabled by default, but then again who knows. I've owned a few cheap routers before and in order to use remote management you had to be connecting from an internal ip address, along with not coming through the wan port.

Just my 2 cents.

And the point is what?

[Chris_Stankowitz]

Devices like linksys suffered from a much larger security problem. IGNORANCE! Highspeed access in the home has broght about a whole new type of internet user. The type that doesn't log off. Lets be honest, many of us are lazy. We know what we are doing but still lazy. Then there is the other group, not lazy, but they don't know what they are doing. The security issues that go along with Mulitple machines, always connected to the internet without ANY protection (Node firewalls like norton internet security for example or virus protection, i don't need to give an example of that) far exceed any "NEW" issues that may now exist becuase of a flaw in this product. Education!!! Plain and simple will reduce any threat that this flaw or any other would exacerbate.

Re:And the point is what?

[Knife_Edge]

On the linksys there is another option, Block WAN Request, that locks down all machines on the intranet behind it pretty effectively. The only connections allowed are those that originate from inside the LAN.

I don't remember if it is turned on by default. Settings are saved through firmware upgrades and it has been a long time since I bought my router.

BEFSR41 upgrade utility link location

[NynexNinja]

Here is the location of the Linksys BEFSR41 firmware upgrade utility v1.43 released Sept 4, 2002. Its the newest one I could find.

All router versions appear to use the same fmwr

[quantumparadox]

I upgraded by BESFR11 and it used the same firmware update as the *41 (4 port switch model) so its pretty safe to assume this version is vulnerable as well.

The firmware updates can be had here:

http://www.linksys.com/download/firmware.asp

Big deal,

[Trusty+Penfold]

Firstly, my router (SMC, not linksys) crashes on it's own every now and then.
It's consumer grade gear, people are probably used to turning them off and back on again anyway. And it's not like the main computer is affected.

Secondly, the attack has to originate on the inside network. It's not like the script kiddiz can take out these box en masse by blasting out a load a packets. Once you visit a malicious site - if there even is a real one - you'll soon learn not to go there again.

*sigh*

[jeffy124]

When will the media realize that not all DoS attacks are DDoS? DDoS is when the attacker gets a bunch of machines to all send data to the target machine, causing the target to run out of resources to handle all connections, swallowing the legit traffic in the process.

"Normal" DoS is what this is - crashing the target. For example, an old flaw in Wu-FTPD allowed a core dump - crashing the deamon and creating a DoS to anyone who needs it. All it took was a malformed request during a session. One machine required, not many.

There are problems with wireless, too

[Raetsel]

The following showed up on the NetStumbler site yesterday:

• GlobalSunTech develops Wireless Access Points for OEM customers like Linksys, D-Link and others. Capturing the traffic of a WISECOM GL2422AP-0T during the setup phase showed a security problem.

  Sending a broadcast packet to UDP port 27155 containing the string "gstsearch" causes the accesspoint to return wep keys, mac filter and admin password. This happens on the WLAN Side and on the LAN Side.

  Systems Affected:

  • 
    Vulnerable, tested, OEM Version from GlobalSunTech:
    
  • WISECOM GL2422AP-0T
  
  Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
  • D-Link DWL-900AP+ B1 version 2.1 and 2.2
  • ALLOY GL-2422AP-S
  • EUSSO GL2422-AP
  • LINKSYS WAP11 v2.2

(And I just got a WAP11, dammit.)

In other news, JWZ's DNA Lounge is having troubles with their Linksys WAP11-based wireless link, which is their only connectivity right now.

• "...the best sustained throughput they can handle is on the order of 64k."

Ouch.

(They lost their T1 due to XO's bankrupcy and above.net closing a facility. Another T1 is on the way, but it'll be a couple weeks...)

in a related story .....

[frovingslosh]

If you leave your car unlocked with the keys in the ignition in N.Y.C., it's at risk.

What a lame report! The sparse on details is that the remote management feature is not enabled by default. Well, doh!, if I turn on remote management someone can get in and affect my system (particularly if I don't change the password). Imagine that!

Re:And on top of that...

[Jace+of+Fuse!]

Providing another 4 ports (one extra bit?) requires the firmware to be that different?

Having used both, I can tell you that they are not "exactly the same" as you put it.

The two models are very different.

For starters, the 8 port version is NOT a few inches wider. It's the exact same width and looks identical from the front except the light arrangement which is slightly different.

Secondly, it's a 4 port Switch AND a 4 port Hub, (4 switched ports, and 4 hub ports).

The 4 Switched ports have QoS options, and the 4 port hub can be given a priority of it's own (higher or lower than the switched ports, I believe).

There are also a few other details in the 8 port version that are not present in the 4 port version so we can safely assume they are functionality that is not present in the 4 port model for obvious reasons (it doesn't need them.)

Mac OS Instructions

[Daleks]

LinkSys only offers a specialized Windows firmware upgrading tool. The router itself has a Java applet that it supposed to work, but didn't for me in Mozilla 1.2b or IE 5.2.2. A friend directed me here. It has instructions on how to upgrade the firmware in Mac OS 9/X using their specialized tool. I worked for me.

Another one to add to this list

[indiigo]

In one firmware update last year, the "WAN UPDATE" setting was defaulted to yes. This would enable anyone to connect to a linksys router and update the configuration to their hearts content, or write a script to scan through an IP range and automate it.

I reported this to linksys, they quickly gave me another firmware update, but other users reported the same thing.

http://arstechnica.infopop.net/OpenTopic/page?a= tp c&s=50009562&f=469092836&m=5300962863

could be the first in a line of problems

[inepom01]

I think this is the first or one of the first times we hear of one of these small router/NAT devices having vulnerabilities. This one is not very serious as it will only crash the device rather than allow someone to gain access to the network, but both this and other devices may have holes that would allow hackers to gain access to home LANs.
This could be a serious problem in the coming future with these small routers/NATers being combined with wireless APs for everyone to use AIM from the couch. Great and all but people wiht these things are probably going to bother even less with security than they do now, thereby introducing a whole host of nastly little attacks.
This should be interesting to watch for.

Actually, this little thing is kinda powerful

[The+Breeze]

The default Linksys in the article has 4 ports, true, but they can actually support 254 clients if you connect them to a switch. Furthermore, the BEFSR11 is a one-port, designed to be connected to a switch or hub, and has proven very popular in labs of anywhere from 10-30 workstations, although it can actually support up to 254 clients. Consequently, there are those out there who may get a sick kick out of kicking schools, non-profit organizations and other institutions offline.

The BEFSR11 is truly cool. $50 gets you a box that barely draws any power and routes requests quite nicely for 254 machines and functions as a DHCP server to boot. Practically maintenance free. Most of mine already have upgraded firmware, but you can bet that I - and several other admins who oversee non-profit and educational sites - will be busy checking firmware versions for a while.

Re:Update without Windows client?

[Charles+Dodgeson]

Anyone spot any instructions on getting a Unixish tftp to do whatever authentication is necessary to update?

Google pointed me to these instructions which says to use the http interface to remove any password, then just,

tftp address of router
tftp> mode binary
tftp> put code.bin
tftp> quit

After you're done, reset your password.

Obvious once someone else points it out.

Router is not the only problem

[rworne]

A security exploit has also been found in their (and other vendor's) Wireless Access Points.

Sending a certain string over a certain UDP port will cause the AP to return the WEP key, mac filter settings, and admin password over the WLAN and LAN side.

Exploit can be found here

Makes me glad to have bought an Apple Airport for a change.

The slapper.* worms can make this happen

[Wee]

When you fire a bunch of UDP packets at it, the NAT routing table overflows and the router crashes.

If you've seen slapper in action, you know this is true. A host behind the router gets infected by the slapper.* worm, and first thing it does (after building itself a new home) is start probing subnets for others. It finds friends, they talk, and much traffic ensues.

The Linksys can stand maybe 6, maybe 10 hours of that much UDP traffic before it reboots. Since the traffic is still coming in when it comes back up, it runs about a 10% chance (guestimate) of restarting successfully. It hangs otherwise. Power cycling restores functionality, and resets the inevitable cycle.

I don't think it's a fault of Linksys. They have a product aimed at a certain market; judging from its popularity it does quite well there. If you have special needs beyond the average SOHO user, you need either an SDK or another vendor.

-B

The Lazy Way...

[ZoneGray]

The Lazy Way to deal with this is to turn remote management off. If you have no problems, leave it alone until you have some other reason to flash it.

BTW, the last firmware upgrade on the "41" works great with WinXP UPnP. Fairly easy to set up safely (update Windows), and it lets me put my dad behind NAT and still fix his system remotely using XP Remote Assistance. It actually works, much to my amazement, and AFAIK, there are no serious vulnerabilities if it's done right.

Re:1.42.7, 1.43

[adolf]

Why bother with a laptop disk?

It's just a firewall. It doesn't need mass storage, or at least nothing more than few megs. It just needs to be reliable.

So. Just beg your friend for the throwaway 8- or 16-meg compactflash card that came with his camera, and plug it into one of these.

Less power (can we say "fanless PSU"?), more speed, and superb reliability. With proper research, the adapter should be in the same price range as the 2.5" IDE adapter kit that you'd need for a laptop drive...

Save the hard drive for things that can benefit from the space.