Vulnerability In Linksys Cable/DSL Router 262
ispcay writes "Yahoo has published an article on a Linksys vulnerability. An easily exploitable software vulnerability in a common home networking router by Linksys Group could expose thousands of home users to denial of service attacks, according to a security advisory issued by iDefense, a software security company." The article's kinda sparse on details, but does mention that the vulnerability is fixed in the latest firmware release. Upgrade 'em if ya got 'em!
Upgrade Firmware (Score:5, Funny)
Re:Upgrade Firmware (Score:5, Informative)
While the attack will still work from inside the local network regardless of the state of the remote management function, it's really not a danger. The worst that someone could really do is DOS themselves, and wouldn't that be a shame...
Re:Upgrade Firmware (Score:2)
<a href="linksysCrasher">http://innocuous.site/</a> ;
(I typed that in correctly, but sd seems to add a space before the last semi-colon)
Some like that could fool people into DOSing themselves.
Use image tag (Score:2)
Re:Upgrade Firmware (Score:2)
It's so easy for something to go wrong when flashing ROMs, I can't really risk doing without my router for weeks on end. Even if you know what you're doing, there's little you can do if it fails.
Re:Upgrade Firmware (Score:5, Informative)
Re:Upgrade Firmware (Score:2)
It sounds like this attack can be ended by a router reboot, but if you really can't go that long without a router, you may want to consider buying a second one as a backup.
Re:Upgrade Firmware (Score:2)
Well, for instance, the manufacturer could fail to tell you that you need to change your PC's IP address so that it is on the same subnet as the factory setting of the router, even if you've changed the router's IP address. That's what happened to me. Or you could lose power or the computer could crash or whatever. The upgrade process is not very failproof.
Re:Upgrade Firmware (Score:3, Interesting)
I suppose there are a few people who have an actual reason to use remote management. These people need to update.
I'm not going to update my router - its functional, and secure. Since all your settings are erased on update, it would take more work then is worth it.
Re:Upgrade Firmware (Score:5, Informative)
Re:Upgrade Firmware (Score:2)
I've run into the same issue, I just disable the management password and then use the tftp upload method. Just remember to re-enable the password after the upload.
subsolar
some details on eweek (Score:5, Informative)
on eWeek also
remote management (Score:5, Informative)
Hillary Rosen (Score:5, Funny)
Re:Hillary Rosen (Score:4, Funny)
Actually, I think Hilary has a copy of one of my copyrighted files. Yeah, that's it. And she might be copying it to Ashcroft. Uh huh. And with the latest push towards allowing copyright owners to become vigilan^W self-reliant, then I (or any designated third party) can and should ensure that their machines are unable to propagate their nefarious activities.
DOS attack easily resolved by resetting device (Score:2, Interesting)
Re:DOS attack easily resolved by resetting device (Score:2, Interesting)
someone will attack anything for the same reason people climb mt Everest.
Re:DOS attack easily resolved by resetting device (Score:2, Funny)
Actually, this little thing is kinda powerful (Score:5, Insightful)
The BEFSR11 is truly cool. $50 gets you a box that barely draws any power and routes requests quite nicely for 254 machines and functions as a DHCP server to boot. Practically maintenance free. Most of mine already have upgraded firmware, but you can bet that I - and several other admins who oversee non-profit and educational sites - will be busy checking firmware versions for a while.
i thought this was already known... (Score:2, Interesting)
Or am I missing something?
Simple fix, not hard (Score:5, Insightful)
No firmware flashing needed.
Users would have to turn remote management on (Score:5, Informative)
--CTH
And on top of that... (Score:2)
This boggles my mind:
The 4-port DSL router (vulnerable) is using firmware 1.40something, and must be upgraded. The latest is 1.43.
The 8-port model, which is what I have, and which is exactly the same damn thing (same functionality, same interface, almost the same user manual) except that it's a few inches wider and has 4 more ports, uses firmware 2.something. And is apparently not vulnerable.
Providing another 4 ports (one extra bit?) requires the firmware to be that different?
Re:And on top of that... (Score:5, Informative)
Having used both, I can tell you that they are not "exactly the same" as you put it.
The two models are very different.
For starters, the 8 port version is NOT a few inches wider. It's the exact same width and looks identical from the front except the light arrangement which is slightly different.
Secondly, it's a 4 port Switch AND a 4 port Hub, (4 switched ports, and 4 hub ports).
The 4 Switched ports have QoS options, and the 4 port hub can be given a priority of it's own (higher or lower than the switched ports, I believe).
There are also a few other details in the 8 port version that are not present in the 4 port version so we can safely assume they are functionality that is not present in the 4 port model for obvious reasons (it doesn't need them.)
Re:And on top of that... (Score:2)
Huh. Okay, color me stupid. I wonder what I was actually looking at when I thought I was looking at the 4-port model. (A 2-port model? Heaven knows there are users who would buy them...)
Uhhhhh. I'm pretty sure all 8 LAN ports are switched. The only 4/4 split I've ever found is this one:
Actually, you get to choose which, if any, 4 ports can use QoS. The remaining 4 get low priority. But I think all 8 are still switched.
Re:And on top of that... (Score:2)
You have me there. I've seen most of the Linksys routers and they have in the past two years all been the same blue and black case. They're intentionally designed so that even if you have several different models they will all stack and look alike. Even the wireless one has the same form factor, except for the two black antenna sticking out of the back.
Actually, you get to choose which, if any, 4 ports can use QoS. The remaining 4 get low priority. But I think all 8 are still switched.
While I won't say that isn't correct (it may be), it wasn't the impression I was given in the manual that came with this particular model that I have in front of me. I don't know where the book is at this moment to double check.
Re:Users would have to turn remote management on (Score:2)
Upgrade from Linux (Score:2)
Find Relief Here (Score:5, Informative)
http://www.linksys.com/download/default.asp [linksys.com]
Hmmmm.... (Score:4, Insightful)
Re:Hmmmm.... (Score:2)
Is it only this vulnerability that doesn't concern you, or home network security issues in general don't concern you? Just because your life doesn't depend on your home network security doesn't mean you shouldn't be responsible and vigilant with security. Script kiddies just love folks like you, and if some bored teenager happens upon your DOS'able router, he'll keep shutting you down just as fast as you can power cycle, just for the fun of it. After the first few times, your tune will change.
I have enough problems with AT&T cables fluctuating speeds
You want to know one factor in the speed problem? People that don't care or know about security are constantly consuming bandwidth due to viruses and worms. Every day I see numerous attempts to spread Code Red/Nimda/whatever, and most of them come from ATTBI. So, stop being a part of the problem and be part of the solution.
Not too much of an issue (Score:2)
Re:Not too much of an issue- wrong (Score:2)
Re:Not too much of an issue- wrong (Score:2)
RTFM
From what I see (Score:5, Informative)
Just my 2 cents.
And the point is what? (Score:4, Insightful)
Re:And the point is what? (Score:2, Insightful)
Re:And the point is what? (Score:2)
Bah, just give them a modem and a few AOL cds.
Re:And the point is what? (Score:3, Informative)
I don't remember if it is turned on by default. Settings are saved through firmware upgrades and it has been a long time since I bought my router.
BEFSR41 upgrade utility link location (Score:5, Informative)
not vulnerable by default (Score:2, Informative)
So for Aunt Tilly, there's no real danger unless the malicious person is on the network.
Anyone remember the Bud Ice commercials? "...I REPEAT! THAT CALL WAS PLACED FROM INSIDE THE HOUSE!!"
All router versions appear to use the same fmwr (Score:4, Informative)
The firmware updates can be had here:
http://www.linksys.com/download/firmware.asp
Non-issue, really... (Score:2, Redundant)
And there's already a firmware fix for it, should you be concerned that any script kiddies living in your house will want to hose their connection to the outside world...
Big deal, (Score:3, Insightful)
Firstly, my router (SMC, not linksys) crashes on it's own every now and then.
It's consumer grade gear, people are probably used to turning them off and back on again anyway. And it's not like the main computer is affected.
Secondly, the attack has to originate on the inside network. It's not like the script kiddiz can take out these box en masse by blasting out a load a packets. Once you visit a malicious site - if there even is a real one - you'll soon learn not to go there again.
Re:Big deal, (Score:2)
See my other post here. [slashdot.org] All it takes is some UDP packets using nmap and the router goes belly-up. Try is sometime from an offsite unix host.
*sigh* (Score:3, Informative)
"Normal" DoS is what this is - crashing the target. For example, an old flaw in Wu-FTPD allowed a core dump - crashing the deamon and creating a DoS to anyone who needs it. All it took was a malformed request during a session. One machine required, not many.
Bizarre!!! (Score:2)
Wierd or what...
I've spent this evening trying to sort out why the router goes belly-up after using eDonkey for a while. The problem started a week ago, but since then the occurences were more regular. I just upgraded the firmware an hour ago!!!
I have the BEFSR411 and found a decent forum link with the same problem [broadbandreports.com]... and there is another link of info/problems here [broadbandreports.com].
I suppose it goes without saying that updating the firmware is a good idea... at least there are more improvements to the web-config interface. I'll just have to see how long the connection stays up.
Those Dumb Fucks (Score:2, Informative)
Well, guess what. When you fire a bunch of UDP packets at it, the NAT routing table overflows and the router crashes (it happens faster if you have your DMZ host address set to a nonexistent address on the network), only to reboot itself in a few minutes. This has been tested and proven, but Linksys' response to me is "it's your software firewall, sir, you shouldn't run both at the same time." What a bunch of ignorant assholes. I informed them of the routing table overflow bug, but they ignored me.
Now, this bug shouldn't really affect anybody cause you really shouldn't run remote admin on your router, but with their shoddy firmware, it doesn't surprise me in the bit!
Re:Those Dumb Fucks (Score:2, Informative)
During the early stages, we had more and more people telling us that they were having problems accessing the servers in Kaillera. The connection protocol happens to be UDP.
The problem was, I was fine, as were a number of others that use(d) the linksys routers. Our suggestion was to upgrade the firmware or to just DMZ the router, which worked 90% of the time. For many people, that worked. Over the almost two years now, the problems w/the router have almost completely dissapeared.
A bad manufacturing run perhaps? (Score:2)
Maybe they had a bad run of the things early on? I got mine a few months after they first appeared (March 2000 i think was the original firmware date) It wouldnt surprise me if they cut corners to keep them $20 under competitors.
The slapper.* worms can make this happen (Score:5, Informative)
If you've seen slapper in action, you know this is true. A host behind the router gets infected by the slapper.* worm, and first thing it does (after building itself a new home) is start probing subnets for others. It finds friends, they talk, and much traffic ensues.
The Linksys can stand maybe 6, maybe 10 hours of that much UDP traffic before it reboots. Since the traffic is still coming in when it comes back up, it runs about a 10% chance (guestimate) of restarting successfully. It hangs otherwise. Power cycling restores functionality, and resets the inevitable cycle.
I don't think it's a fault of Linksys. They have a product aimed at a certain market; judging from its popularity it does quite well there. If you have special needs beyond the average SOHO user, you need either an SDK or another vendor.
-B
Re:The slapper.* worms can make this happen (Score:2)
It is a handy, very small, little blue box, and if I really needed any more security I'd use a Cisco anyway, but if you've ever had to walk to your room with the router in it > 15 times one night to power cycle that mofo, you'd be pissed too.
Re:The slapper.* worms can make this happen (Score:2)
You certainly have a point. Maybe you have bad hardware? I know of lots of people (~10) who own those routers and none of them have had any problems. If you can't return the one that you have, it might be worth it to try to find a used one on ebay and see if the problem persists.
-B
You Don't Understand NAT (Score:2)
It's impossible to overflow the NAT table with UDP packets on a few sessions. The NAT table keeps one entry per session, not one entry per packet. If I make a connection to a server and get a stream of a trillion UDP packets, that's one entry in the NAT table used to map the session. You would need to sustain 520 sessions [linksys.com] to fill up the NAT table.
They say that the router has a 512KB memory buffer, but I'd assume they meant to say that it has 512KB of memory. Most of that memory is probably filled by the OS and settings. I wonder how much memory is actually devoted to the NAT table.
theres other problems too! (Score:2)
It also CORRUPTS data within the network. I was running apache on my system and when i accessed it with loopback (or from any other computer on the network), the pages would come back garbled in some way half the time. It did this for people outside the network too on early versions of firmware, but they fixed the outside problem. I guess they didnt bother to check inside. When I plugged the system straight into the modem, problems disappeared.
After getting no support (box says '24/7'...I tried 8 times for a total of 16 hours worth of being put on hold) and no returned emails, I kicked this piece of shit to the curb and bought a Netgear.
Havent had a problem since. Spend the extra $20 and buy a netgear.
Re:Those Dumb Fucks (Score:2)
Re:NOT a bad piece of hardware (Score:2)
Only DOS Attacks? Could be worse. (Score:2, Funny)
There are problems with wireless, too (Score:5, Informative)
The following showed up on the NetStumbler [netstumbler.com] site yesterday:
- GlobalSunTech develops Wireless Access Points for OEM customers like Linksys, D-Link and others. Capturing the traffic of a WISECOM GL2422AP-0T during the setup phase showed a security problem.
-
- WISECOM GL2422AP-0T
- D-Link DWL-900AP+ B1 version 2.1 and 2.2
- ALLOY GL-2422AP-S
- EUSSO GL2422-AP
- LINKSYS WAP11 v2.2
(And I just got a WAP11, dammit.)Sending a broadcast packet to UDP port 27155 containing the string "gstsearch" causes the accesspoint to return wep keys, mac filter and admin password. This happens on the WLAN Side and on the LAN Side.
Systems Affected:
Vulnerable, tested, OEM Version from GlobalSunTech:
Possibly vulnerable, not tested, OEM Version from GlobalSunTech:
In other news, JWZ's DNA Lounge [dnalounge.com] is having troubles [dnalounge.com] with their Linksys WAP11-based wireless link, which is their only connectivity right now.
- "...the best sustained throughput they can handle is on the order of 64k."
Ouch.(They lost their T1 due to XO's bankrupcy and above.net closing a facility. Another T1 is on the way, but it'll be a couple weeks...)
in a related story ..... (Score:5, Funny)
What a lame report! The sparse on details is that the remote management feature is not enabled by default. Well, doh!, if I turn on remote management someone can get in and affect my system (particularly if I don't change the password). Imagine that!
why would anyone have remote-management enabled? (Score:2)
"*in case i forgot to configure something before i went out" is not a good answer, by the way.
you will have more problem than DoS if you have the remote-configure enabled anyway - instead of a boring little DoS, I would try to crack the password and put all your computers in the demiliterized zone (is that what they call it these days?) and then try to break into your windows boxes (or linux or whatever). I bet half the people out there (probabbly more) never even changed the default password on their routers.
Sigh... this is such a non-issue. I can't believe I am wasing a whle 5 minutes yapping about it.
Re:why would anyone have remote-management enabled (Score:2)
Why not? Just today I realized that since I had upgraded my router's firmware, I had not opened the ssh ports to the OpenBSD box behind it.. and there were some files on that box I needed to put up for download from work.
So, I logged into the router, opened port 22 to the OBSD box, and then proceeded to ssh into it. This was a lifesaver.
But... (Score:2)
(Seriously, does anyone read a thread before they post anymore?)
I'm glad they posted this. Eventually I'll go over to my mom's house and upgrade her firmware. I can't really see her crashing her own router... well, not on purpose, anyway. She might by accident trying to go to Yahoo! (which is what she calls whatever browser she happens to be using, unless it's AOL. No, not net savvy.)
Mac OS Instructions (Score:5, Informative)
Another one to add to this list (Score:3, Informative)
I reported this to linksys, they quickly gave me another firmware update, but other users reported the same thing.
http://arstechnica.infopop.net/OpenTopic/page?a
Linksys vulnerabilities (Score:2)
Linksys firmware since February 2002 has been reasonably decent. Early versions would crash about once a day in normal operation.
Update without Windows client? (Score:2)
It's not all the urgent for me, since however idiotic I might be, I made doubly sure when I set the thing up that remote management was disabled. Imagine all the "http://admin:admin@address/" attempts there'd be otherwise.
Re:Update without Windows client? (Score:5, Informative)
tftp address of router
tftp> mode binary
tftp> put code.bin
tftp> quit
After you're done, reset your password.
Obvious once someone else points it out.
Re:Update without Windows client? (Score:2)
This has been out for weeks! (Score:2)
could be the first in a line of problems (Score:3, Insightful)
This could be a serious problem in the coming future with these small routers/NATers being combined with wireless APs for everyone to use AIM from the couch. Great and all but people wiht these things are probably going to bother even less with security than they do now, thereby introducing a whole host of nastly little attacks.
This should be interesting to watch for.
Router is not the only problem (Score:3, Interesting)
Sending a certain string over a certain UDP port will cause the AP to return the WEP key, mac filter settings, and admin password over the WLAN and LAN side.
Exploit can be found here [netstumbler.com]
Makes me glad to have bought an Apple Airport for a change.
Re:Router is not the only problem (Score:2)
Another Reason Not To Worry (Score:2, Informative)
The third reason is that Block WAN Request is enabled by default. This is how these routers make themselves invisible to the web: they just drop the packets that come from outside. This can be combined with opening a specific port (forwarding), in which case the traffic on that port is directed to a SPECIFIC machine on the LAN.
The Lazy Way... (Score:3, Informative)
BTW, the last firmware upgrade on the "41" works great with WinXP UPnP. Fairly easy to set up safely (update Windows), and it lets me put my dad behind NAT and still fix his system remotely using XP Remote Assistance. It actually works, much to my amazement, and AFAIK, there are no serious vulnerabilities if it's done right.
1.42.7, 1.43 (Score:2)
1.43 seems to still have a bug where the uPnP forwarding page doesn't load properly. Linksys' "fix" for BEFSR41 v1 owners is to load the FORMER version of firmware which doesn't have uPnP which is apparently susceptible to this vulnerability. (Note: I have remote management turned off, please don't waste time trying to hax0r me.)
As a result I am never buying another linksys firewall product nor am I suggesting them for others. I'm hoping that someone will bring out a mini itx with dual ethernet soon so I can cheaply build a very small linux-based replacement for my linksys box. (IE, which runs off a small power supply.) I have a 2 gig laptop disk just sitting waiting...
Re:1.42.7, 1.43 (Score:5, Informative)
It's just a firewall. It doesn't need mass storage, or at least nothing more than few megs. It just needs to be reliable.
So. Just beg your friend for the throwaway 8- or 16-meg compactflash card that came with his camera, and plug it into one of these [peeweelinux.com].
Less power (can we say "fanless PSU"?), more speed, and superb reliability. With proper research, the adapter should be in the same price range as the 2.5" IDE adapter kit that you'd need for a laptop drive...
Save the hard drive for things that can benefit from the space.
Re:1.42.7, 1.43 (Score:2)
Never trusted them... (Score:2, Interesting)
Support? (Score:2)
I own this product, so have decided to upgrade the firmware. Since I'm running Debian, I clicked the "Other Operating Systems" link on the firmware download page [linksys.com], only to be presented with a ZIP archive containing a Windows executable! Is this some kind of sick joke?
Local Link for Router Owners (Score:2, Informative)
If you own this router and you own IE 5 or above, please visit this upgrade page [192.168.1.1], substituting the IP of your modem for 192.168.1.1 [Default].
Nothing new here (Score:2, Interesting)
My first venture into the fray was with an XSense (formerly MacSense) Xrouter. It was their variation on the "cable router" scene, for what is really more properly named a NAT box. It seemed to handle the fileserver well and port mapping was working fine. For their credit I'd also like to say they have some of the most impressive event logging I have ever seen, even recognizing attacks and identifying them by name. Then I tried to run a traceroute to an outside point to see how hop times were looking. Nothing.
"Maybe it's filtering my packets?" I think, and try to connec to its web administration page, but no response. Oops, my clients just lost connection to the servers they were attached to. And look, all the users are dropping off my server. What the...? It turns out that any attempt to traceroute out causes the router to reboot. It continues to reboot until you stop the traceroute, and then takes several seconds to unscramble its eggs before you get connectivity back.
I called up XSense and asked them what was going on, and if they had a firmware flash for me to fix it. Surprise, he reminds me that they did indeed ship their own traceroute program with the router, and I should use that. I run it, and surely enough, no crash. Tried every other traceroute app I could find, and every single one crashed the router except theirs.
The words known issue float through my head. I bickered a bit with the rep about how NO app I (or any of my users!!!) runs should be able to crash my NAT. End result, they don't care. Got off the phone with them and called up the vendor, they're like "here, let me get you the manufacturer's support number". "Nope, they told me tough luck they know about it and they don't care." "Oh... let me get you an RMA."
I actually ended up exchanging it for an Asante FR4003, which has worked flawlessly ever since. It gets a bit warm, so I keep it elevated so the metal bottom plate gets some convection. (it really should have some ventillation slots) And they've updated their firmware twice now, once both times including suggestions for improvements that I sent them. Very solid product. Interesting people answering their tech support though, I got a bit agitated one time when I was doing something stupid and got a big argumentative with them... that's the only time I've ever had a customer support rep tell me to "shut the hell up and listen for a minute!" but maybe that's what I needed to hear at the time...
This maybe offtopic but it's on i think (Score:2)
I mean christ, their webpage is falling apart, sure Addtron routers may not be as flashy as Netgear or Linksys brandwise, but damn, it can't be *that* hard or *that* costly to maintain a site well enough to get the firmware updates that people need.
At least there are brand's that try to take care of their customer's concerns. Yeah i know a homebrew linux router would do the trick, but i paid good money for this router and they give me an unusable site for support in return.
MS Hardware (Score:2)
Over the years I've had several Linksys and Netgear routers fail. I got tired of that and decided to try something new. Since I wanted good UPNP support I grabbed one of the new Microsoft routers. I'm not sure who actually makes them, but I figured they had good keyboards and mice, right?
The router is VERY nice. The interface is the best of the bunch, by far. While the Linksys never showed up as a UPNP device on my network (even with upgraded firmware and UPNP enabled) the MS router did. It also has a very simple setup procedure for a new user so they could get a whole network going in a few minutes with no confusion. I've also read that their wireless NAT routers will NOT let you run without WEP enabled and it makes it real easy to enable it. It rights the key to a floppy that can be put in the client workstations to get WEP going.
Linksys WET11 also has DOS problem (Score:2)
What.....like this? (Score:2)
What.....like this: [union.edu]
Re:Yeah Right.... (Score:2)
Re:Linksys SUCKS!!! (Score:2)
Re:Linksys SUCKS!!! (Score:2)
Re:Linksys SUCKS!!! (Score:2)
And yeah, I've used the BEFSR41 for two+ years now, and it's been rock solid for me, as well. There is (or at least was) one problem where you could slip traffic into the inside network even though the firewall should have rejected it, but I'm pretty sure that's been fixed by now. Besides, you'd have to know the IP assigned to the interior machine to actually get traffic to it using this technique (which is why mine's not setup to use the default DHCP scheme).
Xentax
WAP 11 does not suck (Score:2)
Re:WAP 11 does not suck (Score:2)
Re:Linksys (Score:2)
Re:Linksys (Score:2)
Re:Linksys (Score:2, Informative)
for even lazier people...click (Score:2)
Re:Old News (proof) (Score:2, Informative)
Here [securepoint.com] is a mailing list archive or yet another redundant reference of this problem. It's almost a year old. Come on slashdotters, don't get sloppy in the deluge huh?
So that's what happened to me 3 weeks ago... (Score:2)
Still a great piece of hardware.
Re:What's the best home router to buy? (Score:2)
PPPoE (Score:2)