Vulnerability In Linksys Cable/DSL Router

ispcay writes "Yahoo has published an article on a Linksys vulnerability. An easily exploitable software vulnerability in a common home networking router by Linksys Group could expose thousands of home users to denial of service attacks, according to a security advisory issued by iDefense, a software security company." The article's kinda sparse on details, but does mention that the vulnerability is fixed in the latest firmware release. Upgrade 'em if ya got 'em!

some details on eweek

[didiken]

check Popular Linksys Router Vulnerable to Attack [eweek.com]
on eWeek also

remote management

[budcub]

According to the article, if you have remote management turned off, then people out on the internet can't use the exploit against you.

Users would have to turn remote management on

[hillct]

While I agree that the vast majority of home users will either lack the technical expertise or poise to flash the firmware, these are the people who will plug in the router and forget it, which means remote management won't be turned on so the attack won't be possible (unless the user opens up a telnet or SSH port for NAT pass-thru.

--CTH

Find Relief Here

[footNipple]

This should get you on the path to recovery...this and a stiff shot of Black Bush:

http://www.linksys.com/download/default.asp [linksys.com]

From what I see

[jchawk]

It looks like in order to cause the crash you have have remote management enabled. Why on earth you would allow your router to be configured from outside on the internet boggles my mind. I would assume that this feature would be disabled by default, but then again who knows. I've owned a few cheap routers before and in order to use remote management you had to be connecting from an internal ip address, along with not coming through the wan port.

Just my 2 cents.

BEFSR41 upgrade utility link location

[NynexNinja]

Here [linksys.com] is the location of the Linksys BEFSR41 firmware upgrade utility v1.43 released Sept 4, 2002. Its the newest one I could find.

not vulnerable by default

[XaXXon]

I have one of these, and the remote administration isn't enabled by default.

So for Aunt Tilly, there's no real danger unless the malicious person is on the network.

Anyone remember the Bud Ice commercials? "...I REPEAT! THAT CALL WAS PLACED FROM INSIDE THE HOUSE!!"

All router versions appear to use the same fmwr

[quantumparadox]

I upgraded by BESFR11 and it used the same firmware update as the *41 (4 port switch model) so its pretty safe to assume this version is vulnerable as well.

The firmware updates can be had here:

http://www.linksys.com/download/firmware.asp

Re:Luckily for me...

[Anonymous Coward]

Netgear home routers are rock solid when attached to cable modems, but are kind of flakey when attached to PPPoE DSL modems. But, then again, DSL is flakey itself. Just say NO to DSL! And a bigger fucking 'no' to the abortion of a protocol called PPPoE.

*sigh*

[jeffy124]

When will the media realize that not all DoS attacks are DDoS? DDoS is when the attacker gets a bunch of machines to all send data to the target machine, causing the target to run out of resources to handle all connections, swallowing the legit traffic in the process.

"Normal" DoS is what this is - crashing the target. For example, an old flaw in Wu-FTPD allowed a core dump - crashing the deamon and creating a DoS to anyone who needs it. All it took was a malformed request during a session. One machine required, not many.

Re:Upgrade Firmware

[Unknown Relic]

While this is true, it's really not that big of a deal. The article states that for this attack to work from outside your internal network the remote management functionality needs to be turned on. I own a Linksys router and know for a fact that this feature is not enabled by default. Chances are that those knowledgible enough to require, and enable, remote management will be the same tiny percentage who will bother to update their firmware.

While the attack will still work from inside the local network regardless of the state of the remote management function, it's really not a danger. The worst that someone could really do is DOS themselves, and wouldn't that be a shame...

Those Dumb Fucks

[cscx]

I hate Linksys. I have that router, and it kept crashing on me. Changed the cable, everything, etc. Nothing. Even thought it was the cable modem for a while (would lose net access, but I finally found out the router wouldn't accept internal pings either). They sent me a new one (made ME pay for shipping), and it did the same thing. Tried all firmware versions, nothing.

Well, guess what. When you fire a bunch of UDP packets at it, the NAT routing table overflows and the router crashes (it happens faster if you have your DMZ host address set to a nonexistent address on the network), only to reboot itself in a few minutes. This has been tested and proven, but Linksys' response to me is "it's your software firewall, sir, you shouldn't run both at the same time." What a bunch of ignorant assholes. I informed them of the routing table overflow bug, but they ignored me.

Now, this bug shouldn't really affect anybody cause you really shouldn't run remote admin on your router, but with their shoddy firmware, it doesn't surprise me in the bit!

There are problems with wireless, too

[Raetsel]

The following showed up on the NetStumbler [netstumbler.com] site yesterday:

• GlobalSunTech develops Wireless Access Points for OEM customers like Linksys, D-Link and others. Capturing the traffic of a WISECOM GL2422AP-0T during the setup phase showed a security problem.

  Sending a broadcast packet to UDP port 27155 containing the string "gstsearch" causes the accesspoint to return wep keys, mac filter and admin password. This happens on the WLAN Side and on the LAN Side.

  Systems Affected:

  • 
    Vulnerable, tested, OEM Version from GlobalSunTech:
    
  • WISECOM GL2422AP-0T
  
  Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
  • D-Link DWL-900AP+ B1 version 2.1 and 2.2
  • ALLOY GL-2422AP-S
  • EUSSO GL2422-AP
  • LINKSYS WAP11 v2.2

(And I just got a WAP11, dammit.)

In other news, JWZ's DNA Lounge [dnalounge.com] is having troubles [dnalounge.com] with their Linksys WAP11-based wireless link, which is their only connectivity right now.

• "...the best sustained throughput they can handle is on the order of 64k."

Ouch.

(They lost their T1 due to XO's bankrupcy and above.net closing a facility. Another T1 is on the way, but it'll be a couple weeks...)

Re:And on top of that...

[Jace of Fuse!]

Providing another 4 ports (one extra bit?) requires the firmware to be that different?

Having used both, I can tell you that they are not "exactly the same" as you put it.

The two models are very different.

For starters, the 8 port version is NOT a few inches wider. It's the exact same width and looks identical from the front except the light arrangement which is slightly different.

Secondly, it's a 4 port Switch AND a 4 port Hub, (4 switched ports, and 4 hub ports).

The 4 Switched ports have QoS options, and the 4 port hub can be given a priority of it's own (higher or lower than the switched ports, I believe).

There are also a few other details in the 8 port version that are not present in the 4 port version so we can safely assume they are functionality that is not present in the 4 port model for obvious reasons (it doesn't need them.)

Re:Old News (proof)

[Symb]

Oh and bugtraq [securityfocus.com] says that 1.42.7 isn't secure either.

Here [securepoint.com] is a mailing list archive or yet another redundant reference of this problem. It's almost a year old. Come on slashdotters, don't get sloppy in the deluge huh?

Mac OS Instructions

[Daleks]

LinkSys only offers a specialized Windows firmware upgrading tool. The router itself has a Java applet that it supposed to work, but didn't for me in Mozilla 1.2b or IE 5.2.2. A friend directed me here [mactechnologies.com]. It has instructions on how to upgrade the firmware in Mac OS 9/X using their specialized tool. I worked for me.

Re:Linksys

[MightyDrake]

It doesn't take much to implement a TCP/IP stack, apparently. Check out a matchhead-sized web server. http://www-ccs.cs.umass.edu/~shri/iPic.html

Another one to add to this list

[indiigo]

In one firmware update last year, the "WAN UPDATE" setting was defaulted to yes. This would enable anyone to connect to a linksys router and update the configuration to their hearts content, or write a script to scan through an IP range and automate it.

I reported this to linksys, they quickly gave me another firmware update, but other users reported the same thing.

http://arstechnica.infopop.net/OpenTopic/page?a= tp c&s=50009562&f=469092836&m=5300962863

Re:Upgrade Firmware

[AmigaAvenger]

Did the same thing, and after digging through linksys's site, i found out there IS a way to correct it. (check the docs, basically you just toss a new firmware up to it even if it doesn't respond. The router portion is seperate from the switch, which seems to be able to flash it.)

Re:Those Dumb Fucks

[soulctcher]

I've not had many problems with my linksys since the VERY early firmware. As far as the UDP packet issue, you may be right. I mod http://www.kaillera.com/ [kaillera.com]'s forums, [the Kaillera client/server software allows gaming programs, mainly emulators, to communicate over the net, though they normally wouldn't].

During the early stages, we had more and more people telling us that they were having problems accessing the servers in Kaillera. The connection protocol happens to be UDP.

The problem was, I was fine, as were a number of others that use(d) the linksys routers. Our suggestion was to upgrade the firmware or to just DMZ the router, which worked 90% of the time. For many people, that worked. Over the almost two years now, the problems w/the router have almost completely dissapeared.

Re:Update without Windows client?

[Charles Dodgeson]

Anyone spot any instructions on getting a Unixish tftp to do whatever authentication is necessary to update?

Google pointed me to these instructions [practicallynetworked.com] which says to use the http interface to remove any password, then just,

tftp address of router
tftp> mode binary
tftp> put code.bin
tftp> quit

After you're done, reset your password.

Obvious once someone else points it out.

The slapper.* worms can make this happen

[Wee]

When you fire a bunch of UDP packets at it, the NAT routing table overflows and the router crashes.

If you've seen slapper in action, you know this is true. A host behind the router gets infected by the slapper.* worm, and first thing it does (after building itself a new home) is start probing subnets for others. It finds friends, they talk, and much traffic ensues.

The Linksys can stand maybe 6, maybe 10 hours of that much UDP traffic before it reboots. Since the traffic is still coming in when it comes back up, it runs about a 10% chance (guestimate) of restarting successfully. It hangs otherwise. Power cycling restores functionality, and resets the inevitable cycle.

I don't think it's a fault of Linksys. They have a product aimed at a certain market; judging from its popularity it does quite well there. If you have special needs beyond the average SOHO user, you need either an SDK or another vendor.

-B

Another Reason Not To Worry

[MAurelius]

Two of the three reasons for BEFSR41 owners not not to worry about this have already been mentioned, namely, Remote Update is disabled by default (except for one reported firmware version); and

The third reason is that Block WAN Request is enabled by default. This is how these routers make themselves invisible to the web: they just drop the packets that come from outside. This can be combined with opening a specific port (forwarding), in which case the traffic on that port is directed to a SPECIFIC machine on the LAN.

An attacker could just scan a (network) subnet for IP addresses belonging to Linksys routers. Once they identified the targeted routers, they could bring them down just using their Web browser," said Sunil James, a senior security engineer at iDefense, which is in Chantilly, Virginia.

I think this quote is wrong: these routers don't announce themselves during a scan. Just what would they be scanning for? Open ports? Those are passed to the designated machine on the LAN. In most cases they just do pure NAT. Help me out if I'm wrong on this.

The Lazy Way...

[ZoneGray]

The Lazy Way to deal with this is to turn remote management off. If you have no problems, leave it alone until you have some other reason to flash it.

BTW, the last firmware upgrade on the "41" works great with WinXP UPnP. Fairly easy to set up safely (update Windows), and it lets me put my dad behind NAT and still fix his system remotely using XP Remote Assistance. It actually works, much to my amazement, and AFAIK, there are no serious vulnerabilities if it's done right.

Re:Upgrade Firmware

[WhiteKnight07]

Actually I just flashed mine and it kept all my settings. Port forwarding, IP address, subnet mask, all of it. I feel I should mention that I was unable to flash the firmware from linux. Mozilla simply didn't upload the file containing newer firmware (I have no clue why) and when I tried to use Konqueror it got about halfway through the update process when the router reported a "pattern error" in the binary file and aborted the upgrade. So I booted to Win2k and ran their little update program and it flashed it just fine. Although I did have to turn off the Proxomitron [proxomitron.org].

Re:1.42.7, 1.43

[adolf]

Why bother with a laptop disk?

It's just a firewall. It doesn't need mass storage, or at least nothing more than few megs. It just needs to be reliable.

So. Just beg your friend for the throwaway 8- or 16-meg compactflash card that came with his camera, and plug it into one of these [peeweelinux.com].

Less power (can we say "fanless PSU"?), more speed, and superb reliability. With proper research, the adapter should be in the same price range as the 2.5" IDE adapter kit that you'd need for a laptop drive...

Save the hard drive for things that can benefit from the space.

Local Link for Router Owners

[Captain Large Face]

If you own this router and you own IE 5 or above, please visit this upgrade page [192.168.1.1], substituting the IP of your modem for 192.168.1.1 [Default].

Re:And the point is what?

[Knife_Edge]

On the linksys there is another option, Block WAN Request, that locks down all machines on the intranet behind it pretty effectively. The only connections allowed are those that originate from inside the LAN.

I don't remember if it is turned on by default. Settings are saved through firmware upgrades and it has been a long time since I bought my router.