Cisco clarified today that its Linksys EA2700 home routers running the new Smart Wi-Fi firmware released last June are immune to vulnerabilities disclosed this week by a researcher. EA2700 routers, however, that are still running on the classic EA2700 configuration remain vulnerable to a host of flaws and more than 2,000 vulnerable to an authentication bypass exploit can be found on the Shodan search engine.
A Linksys representative told Threatpost via email that the Smart Wi-Fi firmware, pushed close to a year ago, is not vulnerable to a handful of serious vulnerabilities in the home routers that are still present in boxes not running the new firmware. The flaws include cross-site scripting, file path traversal and authentication bypass vulnerabilities.
“If customers use methods of setup and configuration other than the methods recommended by Linksys, such as using Web browser setup (192.168.1.1), or if customers use older firmware, they could be at risk of potential attacks,” the Linksys representative said. “Accordingly, all Linksys EA customers are strongly encouraged to upgrade to the new Smart Wi-Fi firmware.”
A quick search on Shodan, a search engine created for the purpose of finding servers, routers, network devices and more that sit online, found 2,073 home routers vulnerable to an authentication bypass vulnerability disclosed by researcher Phil Purviance this week. Users can use Shodan to filter searches to find specific equipment by manufacturer, function and even where they’re located geographically.
“You can get a list of those routers with remote access enabled, meaning the owner of the router decided he may be away from home and still need to manage his options and settings, Purviance said. “Those 2,000 devices are all running the classic version of the firmware and you can take that authentication bypass vulnerability, exploit it and got to any one of those sites, change the password and get access to it.”
Purviance reported his findings to Cisco on March 5 and after an initial response from the company asking for the model number of version of the router he analyzed, never got a second response. No patches are available that repair the bugs in the classic set up. Purviance said he dug into the administration features on the router’s embedded management website, apply.cgi, and the vulnerabilities he found range in severity and simplicity to exploit.
“Any potential issues arising from the cited vulnerabilities have been eliminated in the latest version of the Linksys Smart Wi-Fi firmware that was made available last June. “This update was made seamlessly for customers with Smart Wi-Fi accounts,” the Linksys representative said. “ Those who have not signed up for Smart Wi-Fi were alerted to upgrade manually and are strongly encouraged to update their firmware to ensure that they have eliminated any potential issues relating to the cited vulnerabilities.”
Some users apparently balked at a forced upgrade on the EA routers, which were released in April and upgraded to the new firmware in June. Users were asked to register for a cloud-based service to enable automatic updates, transitioning router management to the user’s new Smart Wi-Fi account, and off the embedded Web-enabled interface. Purviance said language in the initial terms of service indicated Cisco could monitor the new cloud-based accounts, a situation that has since changed, he added.
“There are still a lot of people running the classic model firmware and they are provided updates separately,” Purviance said, adding that the classic firmware option is still available as a download for users who want to downgrade off Smart Wi-Fi and manage their own device. “That’s what’s vulnerable, and not Smart Wi-Fi.”
Purviance discovered four serious vulnerabilities on the routers: a cross-site scripting flaw that could enable an attacker to modify the device and firmware; a file path traversal bug that could give an attacker remote access to password or configuration files; a cross-site request forgery vulnerability that would allow an attacker to change log-in information and remotely control the router; and a source-code disclosure vulnerability where an attacker could modify the URL of the admin interface and be presented with raw source code.
“We have and will continue to urge our customers to use our recommended methods of setup and configuration, and to change their user names and passwords periodically,” the Linksys representative said.