Linksys routers sold to consumers as a home or small office networking box are vulnerable to a simple exploit that could give an attacker remote access to the router. The vulnerabilities are wormable, yet are unrelated to the Moon worm reported last week by the SANS Institute.
Linksys, which was acquired by Belkin a year ago, was notified in July but has yet to deliver a fix, according to researcher Kyle Lovett.
Lovett said Linksys EA2700, EA3500, E4200 and EA4500 routers have an innate weakness through which during installation or upgrade, port 8083 is left open. An attacker would need to merely scan Shodan or another search engine for the open port on the respective models and be dropped into the remote administration GUI, bypassing existing authentication, Lovett said. Up to 30,000 routers have been found in scans, Lovett said. He added that port 443, through which HTTPS traffic passes, also shows as open during setup in order to allow non-volatile RAM (NVRAM) to pass data.
An attacker could then upload malicious code or tamper with configuration settings in order to redirect traffic. The vulnerability, though unconfirmed, appears to be with a number of vulnerable CGI scripts that can be exploited.
“What happens is during installation or upgrade, often times one of the CGI script hangs and doesn’t complete,” Lovett said. “The system then just bypasses the rest of the setup and operates as is.”
Four vulnerable scripts have been identified: fw_sys_up.cgi; override.cgi; share_editor.cgi; switch_boot.cgi.
“The port exploit is just a matter of scanning for an open port,” Lovett said. “Then someone could upload malicious code.”
Lovett reported the bug to Linksys last July and did a partial disclosure a month later to alert users after Linksys failed to produce a fix. Lovett said his last email to the company two weeks ago regarding the vulnerability went unanswered.
An advisory on Bugtraq, meanwhile, warns users not to rely on the router’s GUI to show the true status of remote access; the bug is present regardless of whether remote access is disabled by default.
“In the case of this bug, [remote access] gets switched on because of the CGI issue,” Lovett said. “By default, without the bug occurring, remote access is turned off. Honestly, I just don’t see the benefits of turning on remote access unless there is a very specific need. Most consumers don’t understand that turning that feature on, that they are in fact hosting a web site, which is subject to the same attacks and problems as other full websites.”
The Moon worm, reported last week by the SANS Institute, has also been spreading on Linksys routers. However only one of the products vulnerable to Moon overlaps with the vulnerability reported by Lovett–the E4200. Moon does, however, also exploit a vulnerable CGI script that allows remote access to flawed routers.
Moon connects to port 8080 and using the Home Network Administration Protocol (HNAP) used in Cisco devices, calls for a list of router features and firmware versions, Johannes Ullrich of SANS said. Once it learns what type of router it has infected, it exploits a vulnerable CGI script that allows it to access the router without authentication and begins scanning for other vulnerable boxes. SANS CTO Ullrich said researchers had not been able to find a malicious payload and were unsure whether a command and control connection is functional.
“There are about 670 different IP ranges that it scans for other routers. They appear to all belong to different cable modem and DSL ISPs. They are distributed somewhat worldwide,” Ullrich said. “We are still working on analysis what it exactly does. But so far, it looks like all it does is spread (which is why we call it a worm “It may have a ‘call-home’ feature that will report back when it infected new hosts.”
Linksys said its older E-series routers and Wireless-N access points ship with the Remote Management Access feature off by default and customers must enable it to be vulnerable.
“Customers who have enabled the Remote Management Access feature can prevent further vulnerability to their network by disabling the Remote Management Access feature and rebooting their router to remove the installed malware,” Linksys said in a statement. “Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks.”