A remote management flaw, published by a security firm recently, affects
older versions of the Linksys EtherFast Cable/DSL Router and could extend
to the company’s entire home networking product line.
While a PC user on the home network could access the vulnerability, the
biggest threat comes from attackers who break into the router using a
simple remote exploitation. According to iDEFENSE, all an attacker need do
is attach a .cgi request to the router’s IP address to crash the router.
Hitting the “reset” button in the back reboots the router and removes the
flaw. The flaw also doesn’t give attackers a back door into the users PCs
running on the home network.
The threat, discovered in August, was never acknowledged by Linksys
officials, who asked iDEFENSE to hold off publishing the vulnerability
until its engineers had a chance to look into the issue. Immediately
informing its customers of the vulnerability, the company waited two months
for a Linksys response. The security firm decided to publish the
vulnerability last week.
According to Karen Sohl, Linksys spokesperson, the fix has been corrected
since Sept. 4, when it released a firmware upgrade that addressed the
vulnerability. Unaware of the report by iDEFENSE because of a company-wide
email address change, she said they were never able to get a response to
the security company and suggests iDEFENSE contact Linksys again if they
have problems getting an answer.
Sohl minimized the extremity of the vulnerability, saying, “the
vulnerability only exists if the attacker knows the password of the device
and if remote management is enabled; it’s off by default. Someone knowing
your password is the issue itself. If they don’t know the password, it
will be very, very difficult to make the attack.”
“We don’t publish any statements,” she said when asked whether the company
sends out advisories of known vulnerabilities affecting Linksys
products. She said users should read the documentation attached to the
firmware release to see whether it fixes known issues.
iDEFENSE experts and Linksys officials recommend BEFSR41 users upgrade to
the latest firmware version of their router (found here) or to
disable remote management. In most cases, they said, home networks don’t
require much remote administration in the first place.
The security outfit suspects all routers in the Linksys line running
firmware versions from 2001 and earlier are open to the vulnerability. For
the BEFSR41, firmware versions 1.42.7 and later correct the flaw.
The danger in the vulnerability is if it affects Linksys’ wireless home
router, the popular BEFW11S4, one of several wireless home networking
products by the manufacturer that holds a dominant 24 percent market share
in the industry. According to research firm MDR/Instat, more than 16
million home networks will be installed worldwide by the end of the year.