Forgot your password?
typodupeerror
Security

Vulnerability In Linksys Cable/DSL Router 262

Posted by CowboyNeal
from the bugs-sploits-and-buffer-overruns dept.
ispcay writes "Yahoo has published an article on a Linksys vulnerability. An easily exploitable software vulnerability in a common home networking router by Linksys Group could expose thousands of home users to denial of service attacks, according to a security advisory issued by iDefense, a software security company." The article's kinda sparse on details, but does mention that the vulnerability is fixed in the latest firmware release. Upgrade 'em if ya got 'em!
This discussion has been archived. No new comments can be posted.

Vulnerability In Linksys Cable/DSL Router

Comments Filter:
  • by moertle (140345) on Thursday November 07, 2002 @01:00AM (#4614518) Homepage
    after everyone who knows what they are doing flashes their firmware, 99.9% of routers will remain vulnerable...
    • Re:Upgrade Firmware (Score:5, Informative)

      by Unknown Relic (544714) on Thursday November 07, 2002 @01:07AM (#4614575) Homepage
      While this is true, it's really not that big of a deal. The article states that for this attack to work from outside your internal network the remote management functionality needs to be turned on. I own a Linksys router and know for a fact that this feature is not enabled by default. Chances are that those knowledgible enough to require, and enable, remote management will be the same tiny percentage who will bother to update their firmware.

      While the attack will still work from inside the local network regardless of the state of the remote management function, it's really not a danger. The worst that someone could really do is DOS themselves, and wouldn't that be a shame...
      • While the attack will still work from inside the local network regardless of the state of the remote management function, it's really not a danger. The worst that someone could really do is DOS themselves, and wouldn't that be a shame
        If, as I believe, the attack can be in the form of a URL, then imagine email like that contained something like

        <a href="linksysCrasher">http://innocuous.site/</a&gt ;

        (I typed that in correctly, but sd seems to add a space before the last semi-colon)

        Some like that could fool people into DOSing themselves.

        • Better yet, use an image tag rather than a link. That way, merely viewing the page (or mail) triggers the SNAFU:

          <img src="linksysCrasher/cgi-bin">
    • I bought a couple of these buggers- they were cheap (about $US80) and effective. But on the first day I decided to flash the ROM on one of them to the latest firmware. I followed all the instructions and the unit was toast. Three weeks later I got a replacement unit.

      It's so easy for something to go wrong when flashing ROMs, I can't really risk doing without my router for weeks on end. Even if you know what you're doing, there's little you can do if it fails.
      • Re:Upgrade Firmware (Score:5, Informative)

        by AmigaAvenger (210519) on Thursday November 07, 2002 @02:12AM (#4614839) Journal
        Did the same thing, and after digging through linksys's site, i found out there IS a way to correct it. (check the docs, basically you just toss a new firmware up to it even if it doesn't respond. The router portion is seperate from the switch, which seems to be able to flash it.)
      • I've flashed mine several times and never had a problem. I'm not really sure what you mean by "it's so easy for something to go wrong". Sure the power could go out or the network cable get accidentally unplugged (I wouldn't flash over 802.11b. Hmmm, I just thought of a wicked wireless+router ROM attack that is too large for this parenthetical phrase), but really there is little that can go wrong when TFTPing a new rom to your router.

        It sounds like this attack can be ended by a router reboot, but if you really can't go that long without a router, you may want to consider buying a second one as a backup.
        • I'm not really sure what you mean by "it's so easy for something to go wrong".

          Well, for instance, the manufacturer could fail to tell you that you need to change your PC's IP address so that it is on the same subnet as the factory setting of the router, even if you've changed the router's IP address. That's what happened to me. Or you could lose power or the computer could crash or whatever. The upgrade process is not very failproof.
    • Re:Upgrade Firmware (Score:3, Interesting)

      by eean (177028)
      Not really, considering that the .01% who know what they are doing don't have remote management turned on. Then there are the large majority of home users who went through the quick step guide and never accessed their router again, so have the default setting (remote management off). Those at risk are those who know enough to be dangerous.

      I suppose there are a few people who have an actual reason to use remote management. These people need to update.

      I'm not going to update my router - its functional, and secure. Since all your settings are erased on update, it would take more work then is worth it.
      • Re:Upgrade Firmware (Score:5, Informative)

        by WhiteKnight07 (521975) on Thursday November 07, 2002 @03:35AM (#4615075)
        Actually I just flashed mine and it kept all my settings. Port forwarding, IP address, subnet mask, all of it. I feel I should mention that I was unable to flash the firmware from linux. Mozilla simply didn't upload the file containing newer firmware (I have no clue why) and when I tried to use Konqueror it got about halfway through the update process when the router reported a "pattern error" in the binary file and aborted the upgrade. So I booted to Win2k and ran their little update program and it flashed it just fine. Although I did have to turn off the Proxomitron [proxomitron.org].

        • I feel I should mention that I was unable to flash the firmware from linux. Mozilla simply didn't upload the file containing newer firmware (I have no clue why)...

          I've run into the same issue, I just disable the management password and then use the tftp upload method. Just remember to re-enable the password after the upload.


          subsolar

  • by didiken (93521) on Thursday November 07, 2002 @01:00AM (#4614520) Homepage
    check Popular Linksys Router Vulnerable to Attack [eweek.com]
    on eWeek also
  • remote management (Score:5, Informative)

    by budcub (92165) on Thursday November 07, 2002 @01:02AM (#4614530) Homepage
    According to the article, if you have remote management turned off, then people out on the internet can't use the exploit against you.
  • by CatWrangler (622292) on Thursday November 07, 2002 @01:03AM (#4614538) Journal
    I am sure not a single hacker out there is going to investigate if Hillary Rosen has upgraded her software, and if they did so, it would only be to test her system, due to concern for her security and to warn her of possible problems.
    • by Speare (84249) on Thursday November 07, 2002 @08:39AM (#4615783) Homepage Journal

      Actually, I think Hilary has a copy of one of my copyrighted files. Yeah, that's it. And she might be copying it to Ashcroft. Uh huh. And with the latest push towards allowing copyright owners to become vigilan^W self-reliant, then I (or any designated third party) can and should ensure that their machines are unable to propagate their nefarious activities.

  • by Anonymous Coward
    It's a 4 port home router - who's going to wage a DOS attack on a piddly $50 home router? And even if they did - just reset the darn thing. No big deal. I would only get the patch if this problem happened repeatedly.
    • I had someone launch a small one on me believe it or not. 50$ linksys router, cable modem, I notice a nmap scan happening, so i send him back some ICMP echo requests with LEAVE ME ALONE in the payload, and then about 25 zombies shut down my connection for about 20 mintues.

      someone will attack anything for the same reason people climb mt Everest.

    • by The Breeze (140484) on Thursday November 07, 2002 @02:25AM (#4614871) Homepage
      The default Linksys in the article has 4 ports, true, but they can actually support 254 clients if you connect them to a switch. Furthermore, the BEFSR11 is a one-port, designed to be connected to a switch or hub, and has proven very popular in labs of anywhere from 10-30 workstations, although it can actually support up to 254 clients. Consequently, there are those out there who may get a sick kick out of kicking schools, non-profit organizations and other institutions offline.

      The BEFSR11 is truly cool. $50 gets you a box that barely draws any power and routes requests quite nicely for 254 machines and functions as a DHCP server to boot. Practically maintenance free. Most of mine already have upgraded firmware, but you can bet that I - and several other admins who oversee non-profit and educational sites - will be busy checking firmware versions for a while.

  • I heard the 'remote management' option was a huge vunerability over a year ago. I'm no expert, but I doubt any security consious folks would have remote management enabled, and it is not clear if the boxes are vulerable with this feature turned off.

    Or am I missing something?

  • by tulare (244053) on Thursday November 07, 2002 @01:03AM (#4614543) Journal
    From the e-week article, all you have to do is disable remote admin, which is the default setting, which you should have confirmed anyhow. Duh.
    No firmware flashing needed.
  • by hillct (230132) on Thursday November 07, 2002 @01:03AM (#4614544) Homepage Journal
    While I agree that the vast majority of home users will either lack the technical expertise or poise to flash the firmware, these are the people who will plug in the router and forget it, which means remote management won't be turned on so the attack won't be possible (unless the user opens up a telnet or SSH port for NAT pass-thru.

    --CTH

    • This boggles my mind:

      The 4-port DSL router (vulnerable) is using firmware 1.40something, and must be upgraded. The latest is 1.43.

      The 8-port model, which is what I have, and which is exactly the same damn thing (same functionality, same interface, almost the same user manual) except that it's a few inches wider and has 4 more ports, uses firmware 2.something. And is apparently not vulnerable.

      Providing another 4 ports (one extra bit?) requires the firmware to be that different?

      • by Jace of Fuse! (72042) on Thursday November 07, 2002 @01:31AM (#4614697) Homepage
        Providing another 4 ports (one extra bit?) requires the firmware to be that different?

        Having used both, I can tell you that they are not "exactly the same" as you put it.

        The two models are very different.

        For starters, the 8 port version is NOT a few inches wider. It's the exact same width and looks identical from the front except the light arrangement which is slightly different.

        Secondly, it's a 4 port Switch AND a 4 port Hub, (4 switched ports, and 4 hub ports).

        The 4 Switched ports have QoS options, and the 4 port hub can be given a priority of it's own (higher or lower than the switched ports, I believe).

        There are also a few other details in the 8 port version that are not present in the 4 port version so we can safely assume they are functionality that is not present in the 4 port model for obvious reasons (it doesn't need them.)
        • For starters, the 8 port version is NOT a few inches wider. It's the exact same width and looks identical from the front except the light arrangement which is slightly different.

          Huh. Okay, color me stupid. I wonder what I was actually looking at when I thought I was looking at the 4-port model. (A 2-port model? Heaven knows there are users who would buy them...)

          Secondly, it's a 4 port Switch AND a 4 port Hub, (4 switched ports, and 4 hub ports).

          Uhhhhh. I'm pretty sure all 8 LAN ports are switched. The only 4/4 split I've ever found is this one:

          The 4 Switched ports have QoS options, and the 4 port hub can be given a priority of it's own (higher or lower than the switched ports, I believe).

          Actually, you get to choose which, if any, 4 ports can use QoS. The remaining 4 get low priority. But I think all 8 are still switched.

          • I wonder what I was actually looking at

            You have me there. I've seen most of the Linksys routers and they have in the past two years all been the same blue and black case. They're intentionally designed so that even if you have several different models they will all stack and look alike. Even the wireless one has the same form factor, except for the two black antenna sticking out of the back.

            Actually, you get to choose which, if any, 4 ports can use QoS. The remaining 4 get low priority. But I think all 8 are still switched.

            While I won't say that isn't correct (it may be), it wasn't the impression I was given in the manual that came with this particular model that I have in front of me. I don't know where the book is at this moment to double check.
  • Find Relief Here (Score:5, Informative)

    by footNipple (541325) <footnipple@indiati m e s . c om> on Thursday November 07, 2002 @01:04AM (#4614546)
    This should get you on the path to recovery...this and a stiff shot of Black Bush:

    http://www.linksys.com/download/default.asp [linksys.com]

  • Hmmmm.... (Score:4, Insightful)

    by El Pollo Loco (562236) on Thursday November 07, 2002 @01:04AM (#4614548)
    While I have a linksys router, this still does not concern me. All I have to do, is unplug it, and plug it back in. Net' access restored. I don't know of any home users who need 100% uptime internet access. I suppose there are some work at home people who might need it. But personally, I have enough problems with AT&T cables fluctuating speeds then I would with my router crashing.
    • While I have a linksys router, this still does not concern me
      Is it only this vulnerability that doesn't concern you, or home network security issues in general don't concern you? Just because your life doesn't depend on your home network security doesn't mean you shouldn't be responsible and vigilant with security. Script kiddies just love folks like you, and if some bored teenager happens upon your DOS'able router, he'll keep shutting you down just as fast as you can power cycle, just for the fun of it. After the first few times, your tune will change.
      I have enough problems with AT&T cables fluctuating speeds
      You want to know one factor in the speed problem? People that don't care or know about security are constantly consuming bandwidth due to viruses and worms. Every day I see numerous attempts to spread Code Red/Nimda/whatever, and most of them come from ATTBI. So, stop being a part of the problem and be part of the solution.
  • This only affects you if your router has 'remote management' enabled. Since so few people need this, and those that do are more technically minded, this shouldn't be much an issue. The worst this flaw can cause anyways is for the router to crash. The software in there sucks. My linksys crashes if it can't find a dhcp server, that a simple cgi script error crashes it is nothing new to me.
    • I had an early post in this thread pointing out the popularity of this router in non-profit and educational settings to run labs - since this router is vulnerable to this attack from the inside or outside, (outside only if remote management is enabled), it should still be patched - because even if remote mgt is disabled some idiot delinquent on the inside can bring down the whole facility just by cutting & pasting into the URL of their browser if they are behind the router. I support several labs that have people silly enough to do just that for kicks.

  • From what I see (Score:5, Informative)

    by jchawk (127686) on Thursday November 07, 2002 @01:05AM (#4614552) Homepage Journal
    It looks like in order to cause the crash you have have remote management enabled. Why on earth you would allow your router to be configured from outside on the internet boggles my mind. I would assume that this feature would be disabled by default, but then again who knows. I've owned a few cheap routers before and in order to use remote management you had to be connecting from an internal ip address, along with not coming through the wan port.

    Just my 2 cents.
  • by Chris_Stankowitz (612232) on Thursday November 07, 2002 @01:05AM (#4614554)
    Devices like linksys suffered from a much larger security problem. IGNORANCE! Highspeed access in the home has broght about a whole new type of internet user. The type that doesn't log off. Lets be honest, many of us are lazy. We know what we are doing but still lazy. Then there is the other group, not lazy, but they don't know what they are doing. The security issues that go along with Mulitple machines, always connected to the internet without ANY protection (Node firewalls like norton internet security for example or virus protection, i don't need to give an example of that) far exceed any "NEW" issues that may now exist becuase of a flaw in this product. Education!!! Plain and simple will reduce any threat that this flaw or any other would exacerbate.
    • You realize that these routers do provide a degree of firwalling simply by being NAT devices? And that there is no 'logging off' the router from it's internet connection?
    • Devices like linksys suffered from a much larger security problem. IGNORANCE! ... Education!!! Plain and simple will reduce any threat that this flaw or any other would exacerbate.

      Bah, just give them a modem and a few AOL cds.

    • On the linksys there is another option, Block WAN Request, that locks down all machines on the intranet behind it pretty effectively. The only connections allowed are those that originate from inside the LAN.

      I don't remember if it is turned on by default. Settings are saved through firmware upgrades and it has been a long time since I bought my router.
  • by NynexNinja (379583) on Thursday November 07, 2002 @01:05AM (#4614555)
    Here [linksys.com] is the location of the Linksys BEFSR41 firmware upgrade utility v1.43 released Sept 4, 2002. Its the newest one I could find.
  • by XaXXon (202882)
    I have one of these, and the remote administration isn't enabled by default.

    So for Aunt Tilly, there's no real danger unless the malicious person is on the network.

    Anyone remember the Bud Ice commercials? "...I REPEAT! THAT CALL WAS PLACED FROM INSIDE THE HOUSE!!"
  • by quantumparadox (454022) <qparadox@hotmail.com> on Thursday November 07, 2002 @01:05AM (#4614557) Homepage
    I upgraded by BESFR11 and it used the same firmware update as the *41 (4 port switch model) so its pretty safe to assume this version is vulnerable as well.

    The firmware updates can be had here:

    http://www.linksys.com/download/firmware.asp
  • by Keeper (56691)
    Unless you've got your router setup to allow you to configure it remotely (ie: on the cablemodem side of the network; aka, while you're at your friends house). If you've done this, odds are this problem is the least of your concerns.

    And there's already a firmware fix for it, should you be concerned that any script kiddies living in your house will want to hose their connection to the outside world...
  • Big deal, (Score:3, Insightful)

    by Trusty Penfold (615679) <jon_edwards@spanners4us.com> on Thursday November 07, 2002 @01:07AM (#4614572) Journal


    Firstly, my router (SMC, not linksys) crashes on it's own every now and then.
    It's consumer grade gear, people are probably used to turning them off and back on again anyway. And it's not like the main computer is affected.

    Secondly, the attack has to originate on the inside network. It's not like the script kiddiz can take out these box en masse by blasting out a load a packets. Once you visit a malicious site - if there even is a real one - you'll soon learn not to go there again.
    • It's not like the script kiddiz can take out these box en masse by blasting out a load a packets.

      See my other post here. [slashdot.org] All it takes is some UDP packets using nmap and the router goes belly-up. Try is sometime from an offsite unix host.
  • *sigh* (Score:3, Informative)

    by jeffy124 (453342) on Thursday November 07, 2002 @01:07AM (#4614574) Homepage Journal
    When will the media realize that not all DoS attacks are DDoS? DDoS is when the attacker gets a bunch of machines to all send data to the target machine, causing the target to run out of resources to handle all connections, swallowing the legit traffic in the process.

    "Normal" DoS is what this is - crashing the target. For example, an old flaw in Wu-FTPD allowed a core dump - crashing the deamon and creating a DoS to anyone who needs it. All it took was a malformed request during a session. One machine required, not many.
  • Wierd or what...

    I've spent this evening trying to sort out why the router goes belly-up after using eDonkey for a while. The problem started a week ago, but since then the occurences were more regular. I just upgraded the firmware an hour ago!!!

    I have the BEFSR411 and found a decent forum link with the same problem [broadbandreports.com]... and there is another link of info/problems here [broadbandreports.com].

    I suppose it goes without saying that updating the firmware is a good idea... at least there are more improvements to the web-config interface. I'll just have to see how long the connection stays up.

  • Those Dumb Fucks (Score:2, Informative)

    by cscx (541332)
    I hate Linksys. I have that router, and it kept crashing on me. Changed the cable, everything, etc. Nothing. Even thought it was the cable modem for a while (would lose net access, but I finally found out the router wouldn't accept internal pings either). They sent me a new one (made ME pay for shipping), and it did the same thing. Tried all firmware versions, nothing.

    Well, guess what. When you fire a bunch of UDP packets at it, the NAT routing table overflows and the router crashes (it happens faster if you have your DMZ host address set to a nonexistent address on the network), only to reboot itself in a few minutes. This has been tested and proven, but Linksys' response to me is "it's your software firewall, sir, you shouldn't run both at the same time." What a bunch of ignorant assholes. I informed them of the routing table overflow bug, but they ignored me.

    Now, this bug shouldn't really affect anybody cause you really shouldn't run remote admin on your router, but with their shoddy firmware, it doesn't surprise me in the bit!
    • Re:Those Dumb Fucks (Score:2, Informative)

      by soulctcher (581951)
      I've not had many problems with my linksys since the VERY early firmware. As far as the UDP packet issue, you may be right. I mod http://www.kaillera.com/ [kaillera.com]'s forums, [the Kaillera client/server software allows gaming programs, mainly emulators, to communicate over the net, though they normally wouldn't].

      During the early stages, we had more and more people telling us that they were having problems accessing the servers in Kaillera. The connection protocol happens to be UDP.

      The problem was, I was fine, as were a number of others that use(d) the linksys routers. Our suggestion was to upgrade the firmware or to just DMZ the router, which worked 90% of the time. For many people, that worked. Over the almost two years now, the problems w/the router have almost completely dissapeared.
      • I had (prior to purchasing a much, much, better netgear router) the same problems the above poster had with UDP packets hanging the thing, and no firmware upgrade would fix it.

        Maybe they had a bad run of the things early on? I got mine a few months after they first appeared (March 2000 i think was the original firmware date) It wouldnt surprise me if they cut corners to keep them $20 under competitors.

    • by Wee (17189) on Thursday November 07, 2002 @03:26AM (#4615051)
      When you fire a bunch of UDP packets at it, the NAT routing table overflows and the router crashes.

      If you've seen slapper in action, you know this is true. A host behind the router gets infected by the slapper.* worm, and first thing it does (after building itself a new home) is start probing subnets for others. It finds friends, they talk, and much traffic ensues.

      The Linksys can stand maybe 6, maybe 10 hours of that much UDP traffic before it reboots. Since the traffic is still coming in when it comes back up, it runs about a 10% chance (guestimate) of restarting successfully. It hangs otherwise. Power cycling restores functionality, and resets the inevitable cycle.

      I don't think it's a fault of Linksys. They have a product aimed at a certain market; judging from its popularity it does quite well there. If you have special needs beyond the average SOHO user, you need either an SDK or another vendor.

      -B

      • I'm talking about UDP traffic on the WAN port, NOT the LAN side. The point I was trying to make is that if you can make a 'firewall' shut down by sending packets at it, that kind of defeats the purpose of a firewall in the first place.

        It is a handy, very small, little blue box, and if I really needed any more security I'd use a Cisco anyway, but if you've ever had to walk to your room with the router in it > 15 times one night to power cycle that mofo, you'd be pissed too.
        • The point I was trying to make is that if you can make a 'firewall' shut down by sending packets at it, that kind of defeats the purpose of a firewall in the first place.

          You certainly have a point. Maybe you have bad hardware? I know of lots of people (~10) who own those routers and none of them have had any problems. If you can't return the one that you have, it might be worth it to try to find a used one on ebay and see if the problem persists.

          -B

    • I have a BEFSR11 that uses the same firmware releases as the BEFSR41. My roomate and I are always listening to streaming music. Streaming music uses UDP. Whenever we have issues with the Internet, it's because of Ameritech.

      It's impossible to overflow the NAT table with UDP packets on a few sessions. The NAT table keeps one entry per session, not one entry per packet. If I make a connection to a server and get a stream of a trillion UDP packets, that's one entry in the NAT table used to map the session. You would need to sustain 520 sessions [linksys.com] to fill up the NAT table.

      They say that the router has a 512KB memory buffer, but I'd assume they meant to say that it has 512KB of memory. Most of that memory is probably filled by the OS and settings. I wonder how much memory is actually devoted to the NAT table.

    • I had one of these piles of shit for a year! Anything UDP packet heavy (gaming, streaming audio/video...) will take this thing down. Weird thing is, it was intermittant. There was a couple months out of the year it did it with only 5 minutes worth, and other times when it never crashed at all.

      It also CORRUPTS data within the network. I was running apache on my system and when i accessed it with loopback (or from any other computer on the network), the pages would come back garbled in some way half the time. It did this for people outside the network too on early versions of firmware, but they fixed the outside problem. I guess they didnt bother to check inside. When I plugged the system straight into the modem, problems disappeared.

      After getting no support (box says '24/7'...I tried 8 times for a total of 16 hours worth of being put on hold) and no returned emails, I kicked this piece of shit to the curb and bought a Netgear.

      Havent had a problem since. Spend the extra $20 and buy a netgear.

    • Have you updated the firmware? My SR11 used to lock cold every few days. A few updates ago (Early summer), they finally got it right. I haven't had a lock up in months.
  • If anyone hears reports of the '41 being subject to ME or XP attacks, please post. For now...well... I've never been afraid of a couple of backslashes or a c:\.
  • by Raetsel (34442) on Thursday November 07, 2002 @01:19AM (#4614649)

    The following showed up on the NetStumbler [netstumbler.com] site yesterday:
    • GlobalSunTech develops Wireless Access Points for OEM customers like Linksys, D-Link and others. Capturing the traffic of a WISECOM GL2422AP-0T during the setup phase showed a security problem.

      Sending a broadcast packet to UDP port 27155 containing the string "gstsearch" causes the accesspoint to return wep keys, mac filter and admin password. This happens on the WLAN Side and on the LAN Side.

      Systems Affected:


      • Vulnerable, tested, OEM Version from GlobalSunTech:
      • WISECOM GL2422AP-0T

      Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
      • D-Link DWL-900AP+ B1 version 2.1 and 2.2
      • ALLOY GL-2422AP-S
      • EUSSO GL2422-AP
      • LINKSYS WAP11 v2.2
    (And I just got a WAP11, dammit.)

    In other news, JWZ's DNA Lounge [dnalounge.com] is having troubles [dnalounge.com] with their Linksys WAP11-based wireless link, which is their only connectivity right now.

    • "...the best sustained throughput they can handle is on the order of 64k."
    Ouch.

    (They lost their T1 due to XO's bankrupcy and above.net closing a facility. Another T1 is on the way, but it'll be a couple weeks...)

  • by frovingslosh (582462) on Thursday November 07, 2002 @01:27AM (#4614680)
    If you leave your car unlocked with the keys in the ignition in N.Y.C., it's at risk.

    What a lame report! The sparse on details is that the remote management feature is not enabled by default. Well, doh!, if I turn on remote management someone can get in and affect my system (particularly if I don't change the password). Imagine that!

  • I mean, seriously, enlighten me here: why in the world would you want to remotely manage your *cheap* router?

    "*in case i forgot to configure something before i went out" is not a good answer, by the way.

    you will have more problem than DoS if you have the remote-configure enabled anyway - instead of a boring little DoS, I would try to crack the password and put all your computers in the demiliterized zone (is that what they call it these days?) and then try to break into your windows boxes (or linux or whatever). I bet half the people out there (probabbly more) never even changed the default password on their routers.

    Sigh... this is such a non-issue. I can't believe I am wasing a whle 5 minutes yapping about it.
    • "*in case i forgot to configure something before i went out" is not a good answer, by the way.

      Why not? Just today I realized that since I had upgraded my router's firmware, I had not opened the ssh ports to the OpenBSD box behind it.. and there were some files on that box I needed to put up for download from work.

      So, I logged into the router, opened port 22 to the OBSD box, and then proceeded to ssh into it. This was a lifesaver.
  • What you're all forgetting is, this is only an issue if you have remote management enabled, and it's not enabled by default...

    (Seriously, does anyone read a thread before they post anymore?)

    I'm glad they posted this. Eventually I'll go over to my mom's house and upgrade her firmware. I can't really see her crashing her own router... well, not on purpose, anyway. She might by accident trying to go to Yahoo! (which is what she calls whatever browser she happens to be using, unless it's AOL. No, not net savvy.)
  • Mac OS Instructions (Score:5, Informative)

    by Daleks (226923) on Thursday November 07, 2002 @01:40AM (#4614734)
    LinkSys only offers a specialized Windows firmware upgrading tool. The router itself has a Java applet that it supposed to work, but didn't for me in Mozilla 1.2b or IE 5.2.2. A friend directed me here [mactechnologies.com]. It has instructions on how to upgrade the firmware in Mac OS 9/X using their specialized tool. I worked for me.
  • by indiigo (121714) on Thursday November 07, 2002 @01:42AM (#4614748) Homepage
    In one firmware update last year, the "WAN UPDATE" setting was defaulted to yes. This would enable anyone to connect to a linksys router and update the configuration to their hearts content, or write a script to scan through an IP range and automate it.

    I reported this to linksys, they quickly gave me another firmware update, but other users reported the same thing.

    http://arstechnica.infopop.net/OpenTopic/page?a= tp c&s=50009562&f=469092836&m=5300962863
  • That particular router comes with no password as default, which makes it very vulnerable, because it will accept a TFTP firmware download from the WAN side. I don't know that anyone has bothered to write exploit firmware for the thing, but someone could send it a junk file via TFTP and lock it up.

    Linksys firmware since February 2002 has been reasonably decent. Early versions would crash about once a day in normal operation.

  • Anyone spot any instructions on getting a Unixish tftp to do whatever authentication is necessary to update?

    It's not all the urgent for me, since however idiotic I might be, I made doubly sure when I set the thing up that remote management was disabled. Imagine all the "http://admin:admin@address/" attempts there'd be otherwise.

  • Yes, there's a DoS possibility in the Linksys routers. It's fixed in the 1.43 firmware release. Anyone who reads the Linksys forum at DSL Reports has known about this for weeks!
  • by inepom01 (525367) <inepom01@nospaM.hotmail.com> on Thursday November 07, 2002 @02:19AM (#4614854)
    I think this is the first or one of the first times we hear of one of these small router/NAT devices having vulnerabilities. This one is not very serious as it will only crash the device rather than allow someone to gain access to the network, but both this and other devices may have holes that would allow hackers to gain access to home LANs.
    This could be a serious problem in the coming future with these small routers/NATers being combined with wireless APs for everyone to use AIM from the couch. Great and all but people wiht these things are probably going to bother even less with security than they do now, thereby introducing a whole host of nastly little attacks.
    This should be interesting to watch for.
  • by rworne (538610) on Thursday November 07, 2002 @03:24AM (#4615045) Homepage
    A security exploit has also been found in their (and other vendor's) Wireless Access Points.

    Sending a certain string over a certain UDP port will cause the AP to return the WEP key, mac filter settings, and admin password over the WLAN and LAN side.

    Exploit can be found here [netstumbler.com]

    Makes me glad to have bought an Apple Airport for a change.

  • Two of the three reasons for BEFSR41 owners not not to worry about this have already been mentioned, namely, Remote Update is disabled by default (except for one reported firmware version); and

    The third reason is that Block WAN Request is enabled by default. This is how these routers make themselves invisible to the web: they just drop the packets that come from outside. This can be combined with opening a specific port (forwarding), in which case the traffic on that port is directed to a SPECIFIC machine on the LAN.

    An attacker could just scan a (network) subnet for IP addresses belonging to Linksys routers. Once they identified the targeted routers, they could bring them down just using their Web browser," said Sunil James, a senior security engineer at iDefense, which is in Chantilly, Virginia.


    I think this quote is wrong: these routers don't announce themselves during a scan. Just what would they be scanning for? Open ports? Those are passed to the designated machine on the LAN. In most cases they just do pure NAT. Help me out if I'm wrong on this.

  • The Lazy Way... (Score:3, Informative)

    by ZoneGray (168419) on Thursday November 07, 2002 @03:32AM (#4615070) Homepage
    The Lazy Way to deal with this is to turn remote management off. If you have no problems, leave it alone until you have some other reason to flash it.

    BTW, the last firmware upgrade on the "41" works great with WinXP UPnP. Fairly easy to set up safely (update Windows), and it lets me put my dad behind NAT and still fix his system remotely using XP Remote Assistance. It actually works, much to my amazement, and AFAIK, there are no serious vulnerabilities if it's done right.
  • 1.42.7 does not work properly on my BEFSR41 rev 1. Most people have rev 2, only people who bought them a long-ass time ago have to suffer with r1.

    1.43 seems to still have a bug where the uPnP forwarding page doesn't load properly. Linksys' "fix" for BEFSR41 v1 owners is to load the FORMER version of firmware which doesn't have uPnP which is apparently susceptible to this vulnerability. (Note: I have remote management turned off, please don't waste time trying to hax0r me.)

    As a result I am never buying another linksys firewall product nor am I suggesting them for others. I'm hoping that someone will bring out a mini itx with dual ethernet soon so I can cheaply build a very small linux-based replacement for my linksys box. (IE, which runs off a small power supply.) I have a 2 gig laptop disk just sitting waiting...

    • Re:1.42.7, 1.43 (Score:5, Informative)

      by adolf (21054) <flodadolf@gmail.com> on Thursday November 07, 2002 @04:26AM (#4615168) Journal
      Why bother with a laptop disk?

      It's just a firewall. It doesn't need mass storage, or at least nothing more than few megs. It just needs to be reliable.

      So. Just beg your friend for the throwaway 8- or 16-meg compactflash card that came with his camera, and plug it into one of these [peeweelinux.com].

      Less power (can we say "fanless PSU"?), more speed, and superb reliability. With proper research, the adapter should be in the same price range as the 2.5" IDE adapter kit that you'd need for a laptop drive...

      Save the hard drive for things that can benefit from the space.

      • Because while I have a gateway there, I might as well use it for other things, including a web server for some light content. If I use a mini-itx system the least powerful CPU I'll have is a 400mhz x86 clone, and I'll probably get the fastest chip. Seems a waste to use it solely for networking.
  • If I can't see under the hood (who says I'll understand everything I'll see though), I tend not to trust things like this, esp. when it comes to security. My good ol' linux router on a P90 suits me just fine and I can do so much more with it. I don't see me owning one of these ever, so I don't have to worry. :)
  • I own this product, so have decided to upgrade the firmware. Since I'm running Debian, I clicked the "Other Operating Systems" link on the firmware download page [linksys.com], only to be presented with a ZIP archive containing a Windows executable! Is this some kind of sick joke?

  • If you own this router and you own IE 5 or above, please visit this upgrade page [192.168.1.1], substituting the IP of your modem for 192.168.1.1 [Default].

  • Nothing new here (Score:2, Interesting)

    by v1 (525388)
    While these "DSL routers" and other various "consumer grade" networking products have popped up like dandelions in spring, so have the problems.

    My first venture into the fray was with an XSense (formerly MacSense) Xrouter. It was their variation on the "cable router" scene, for what is really more properly named a NAT box. It seemed to handle the fileserver well and port mapping was working fine. For their credit I'd also like to say they have some of the most impressive event logging I have ever seen, even recognizing attacks and identifying them by name. Then I tried to run a traceroute to an outside point to see how hop times were looking. Nothing.

    "Maybe it's filtering my packets?" I think, and try to connec to its web administration page, but no response. Oops, my clients just lost connection to the servers they were attached to. And look, all the users are dropping off my server. What the...? It turns out that any attempt to traceroute out causes the router to reboot. It continues to reboot until you stop the traceroute, and then takes several seconds to unscramble its eggs before you get connectivity back.

    I called up XSense and asked them what was going on, and if they had a firmware flash for me to fix it. Surprise, he reminds me that they did indeed ship their own traceroute program with the router, and I should use that. I run it, and surely enough, no crash. Tried every other traceroute app I could find, and every single one crashed the router except theirs.

    The words known issue float through my head. I bickered a bit with the rep about how NO app I (or any of my users!!!) runs should be able to crash my NAT. End result, they don't care. Got off the phone with them and called up the vendor, they're like "here, let me get you the manufacturer's support number". "Nope, they told me tough luck they know about it and they don't care." "Oh... let me get you an RMA."

    I actually ended up exchanging it for an Asante FR4003, which has worked flawlessly ever since. It gets a bit warm, so I keep it elevated so the metal bottom plate gets some convection. (it really should have some ventillation slots) And they've updated their firmware twice now, once both times including suggestions for improvements that I sent them. Very solid product. Interesting people answering their tech support though, I got a bit agitated one time when I was doing something stupid and got a big argumentative with them... that's the only time I've ever had a customer support rep tell me to "shut the hell up and listen for a minute!" but maybe that's what I needed to hear at the time... ;-)
  • I have an Addtron ADR-E200p. I worry about security, and security holes too. I want to protect myself as much as possible. But has anyone seen addtron's homepage lately?? www.addtron.com

    I mean christ, their webpage is falling apart, sure Addtron routers may not be as flashy as Netgear or Linksys brandwise, but damn, it can't be *that* hard or *that* costly to maintain a site well enough to get the firmware updates that people need.

    At least there are brand's that try to take care of their customer's concerns. Yeah i know a homebrew linux router would do the trick, but i paid good money for this router and they give me an unusable site for support in return.

  • OK, I know I'll be shunned for this...but...

    Over the years I've had several Linksys and Netgear routers fail. I got tired of that and decided to try something new. Since I wanted good UPNP support I grabbed one of the new Microsoft routers. I'm not sure who actually makes them, but I figured they had good keyboards and mice, right?

    The router is VERY nice. The interface is the best of the bunch, by far. While the Linksys never showed up as a UPNP device on my network (even with upgraded firmware and UPNP enabled) the MS router did. It also has a very simple setup procedure for a new user so they could get a whole network going in a few minutes with no confusion. I've also read that their wireless NAT routers will NOT let you run without WEP enabled and it makes it real easy to enable it. It rights the key to a floppy that can be put in the client workstations to get WEP going.

  • In a related, underpublicized story, Linksys's WET11, which has been getting a lot of buzz as a cheap wireless ethernet bridge, has a firmware flaw which allows a DoS [securiteam.com]. LinkSys has been slow to come out with a fix.

  • The BEFSR11 is truly cool. $50 gets you a box that barely draws any power and routes requests quite nicely for 254 machines and functions as a DHCP server to boot.

    What.....like this: [union.edu]

"Ahead warp factor 1" - Captain Kirk

Working...