More than 20 Linksys router models are vulnerable to attacks that allow a third party to reboot, lock out and extract sensitive router data from affected devices. According to IOActive, impacted routers include some of its latest Linksys Smart Wi-Fi Router brands, specifically the EA and WRT series. There is currently no fix for the flaws, however there are measures users can take to mitigate risk.
IOActive said it found 10 vulnerabilities impacting the affected Linksys routers. During its investigation, IOActive identified 7,000 of the vulnerable routers in use. But it said more than 100,000 additional routers vulnerable to the flaws could also be in use.
“The 7,000 devices we mentioned represent only the devices we found, and not the devices that are actually running. Linksys has not provided any specific estimate so we can only guess how many there are. We wouldn’t be surprised if there was tens or hundreds of thousands impacted, based on the popularity of Linksys routers and based on how many models are affected,” said Tao Sauvage, a security consultant with IOActive Labs, in an interview with Threatpost.
IOActive said it isn’t aware of any active exploitation of the vulnerabilities in the wild.
Linksys, which was acquired by Belkin in 2013, said in a statement released Thursday: “The Linksys Security team has been working with IOActive to confirm and resolve all reported issues. We will be releasing firmware updates for all affected devices.”
IOActive conducted its vulnerability testing of Linksys routers late last year and notified the company in January of the flaws. Researchers identified 10 vulnerabilities in the router firmware ranging from “low to high risk.”
“A number of the security flaws we found are associated with authentication, data sanitization, privilege escalation, and information disclosure,” wrote Sauvage in a technical description of the vulnerabilities posted Thursday.
IOActive said at the time of its testing it used Shodan to identify that 7,000 vulnerable routers were currently exposed on the Internet. It noted that vulnerable routers protected by strict firewall rules or running behind a network appliance likely skewed the true number of routers in wild impacted by the vulnerabilities. Those routers, IOActive said, could still be compromised by attackers who have access to routers from within an internal network.
Impacted are the entire line of EAxxxx series routers along with WRT series router models WRT1200AC, WRT1900AC, WRT1900ACS and WRT3200ACM.
“Linksys did not specify if all 20 models were impacted by the same vulnerabilities we reported. A lot of Smart Wi-Fi models share a common code base, which is then tuned for each model. Based on our testing, the most serious vulnerabilities we identified seem to affect all of the 20 models,” Sauvage said.
The most serious of the vulnerabilities found allow unauthenticated attackers to create a denial-of-service condition on the router. “By sending a few requests or abusing a specific API, the router becomes unresponsive and even reboots. The Admin is then unable to access the web admin interface and users are unable to connect until the attacker stops the DoS attack,” Sauvage wrote.
The DoS vulnerability, Sauvage said, is fairly easy for an attacker to exploit. The attack can be performed from a single computer and requires very little knowledge and only a handful of requests, according to Sauvage. “From a single attack source, you can completely disrupt the service of the router for as long as you want,” he said.
In another attack scenario, adversaries can also bypass the authentication protecting the CGI scripts and allow adversaries to collect technical and sensitive information about the router, researchers noted. Sensitive data includes firmware and Linux kernel version information, a list of running processes and connected USB devices, or the Wi-Fi Protected Setup PIN for the Wi-Fi connection.
An additional flaw allowed authenticated users to inject and execute commands on the router’s firmware giving them root privileges to set up secret backdoors that couldn’t be removed by the router’s admin account user, IOActive said. “By exploiting the RCE, you would not be constrained by the features the web interface offers. You could run arbitrary code on the device and turn the router into a bot, like we have seen with Mirai for instance,” Sauvage said.
Linksys said it was working on providing a firmware update for impacted devices. In the interim, it suggests customers disable the router’s WiFi Guest Network setting, enable automatic updates and change default admin passwords.
IOActive said of the 7,000 routers it detected online that contained one of the 10 vulnerabilities, 11 percent (or 770) were using default credentials.