Popular Home Router Flaw Found
November 05, 2002
UPDATE: Officials downplay the extent of the vulnerability, saying it only affects older firmware versions and requires the user's password.
A remote management flaw, published by a security firm recently, affects older versions of the Linksys EtherFast Cable/DSL Router and could extend to the company's entire home networking product line.
While a PC user on the home network could access the vulnerability, the biggest threat comes from attackers who break into the router using a simple remote exploitation. According to iDEFENSE, all an attacker need do is attach a .cgi request to the router's IP address to crash the router.
Hitting the "reset" button in the back reboots the router and removes the flaw. The flaw also doesn't give attackers a back door into the users PCs running on the home network.
The threat, discovered in August, was never acknowledged by Linksys officials, who asked iDEFENSE to hold off publishing the vulnerability until its engineers had a chance to look into the issue. Immediately informing its customers of the vulnerability, the company waited two months for a Linksys response. The security firm decided to publish the vulnerability last week.
According to Karen Sohl, Linksys spokesperson, the fix has been corrected since Sept. 4, when it released a firmware upgrade that addressed the vulnerability. Unaware of the report by iDEFENSE because of a company-wide email address change, she said they were never able to get a response to the security company and suggests iDEFENSE contact Linksys again if they have problems getting an answer.
Sohl minimized the extremity of the vulnerability, saying, "the vulnerability only exists if the attacker knows the password of the device and if remote management is enabled; it's off by default. Someone knowing your password is the issue itself. If they don't know the password, it will be very, very difficult to make the attack."
"We don't publish any statements," she said when asked whether the company sends out advisories of known vulnerabilities affecting Linksys products. She said users should read the documentation attached to the firmware release to see whether it fixes known issues.
iDEFENSE experts and Linksys officials recommend BEFSR41 users upgrade to the latest firmware version of their router (found here) or to disable remote management. In most cases, they said, home networks don't require much remote administration in the first place.
The security outfit suspects all routers in the Linksys line running firmware versions from 2001 and earlier are open to the vulnerability. For the BEFSR41, firmware versions 1.42.7 and later correct the flaw.
The danger in the vulnerability is if it affects Linksys' wireless home router, the popular BEFW11S4, one of several wireless home networking products by the manufacturer that holds a dominant 24 percent market share in the industry. According to research firm MDR/Instat, more than 16 million home networks will be installed worldwide by the end of the year.