News Stay informed about the latest enterprise technology news and product updates.

'Serious' security holes in Linksys router

The wireless router has five flaws attackers could use to tamper with passwords and firewalls, install firmware and cause a denial of service.

Attackers could exploit a variety of security holes in the Linksys WRT54G wireless router to tamper with passwords and firewalls, install firmware or cause a denial of service, iDefense warned in a series of advisories Wednesday.

"Some of these vulnerabilities are very serious," the Bethesda, Md.-based SANS Internet Storm Center warned on its Web site. "Users of these products are highly recommended to patch their devices."

Linksys is a division of San Jose, Calif.-based networking giant Cisco Systems, whose routers and switches make up a significant part of the Internet's infrastructure. Its WRT54G model is a combination wireless access point, switch and router. According to iDefense, which is part of Mountain View, Calif.-based VeriSign Inc.:

The first problem is a design error unauthenticated users could exploit to modify the router configuration.

"The vulnerability specifically exists in the 'ezconfig.asp' handler of the httpd running on the internal interfaces, including, by default the wireless interface," iDefense said. "Successful exploitation… would allow an unauthenticated user… to modify the configuration of the affected router, including the password. This could allow firewall rules to be changed, installation of a new firmware with other features, or denial of service."

More recent news on Cisco and iDefense:

Cisco IOS flaw prompts Symantec to raise threat level

 

VeriSign acquisition: Will iDefense keep looking underground for flaws?

The second problem is a buffer overflow vulnerability in the "apply.cgi" handler of the httpd running on the internal interfaces, including, by default, the wireless interface.

"Successful exploitation… would allow an unauthenticated user to execute arbitrary commands on the affected router with root privileges," iDefense said. "This could allow any operation to be performed on the router, including changing passwords and firewall configuration, installation of new firmware with other features, or denial of service."

The third problem is a design error in the router's "restore.cgi'" component. The security hole specifically exists in the "POST" method of the "restore.cgi" handler. The httpd running on the internal interfaces, including by default the wireless interface, does not check if authentication has failed until after data supplied by an external user has been processed, iDefense said.

"Successful exploitation… would allow an unauthenticated user… to modify the configuration of the affected router, including the password," iDefense said. "This could allow firewall rules to be changed, installation of a new firmware with other features, or denial of service."

The fourth problem is a design error in the router's "upgrade.cgi" component when the "POST" method is used. The httpd running on the internal interfaces, including, by default, the wireless interface, does not check if authentication has failed until after data supplied by an external user has been processed. The upgrade.cgi handler allows a user to upload new firmware, which contains the operating system and applications, into the non-volatile memory of the router, the advisory said.

"Successful exploitation… would allow an unauthenticated user… to completely compromise the affected router, by installation of an arbitrary firmware," iDefense said. "As the source code and tools for compiling the firmware are available from the vendor, an attacker could simply rebuild the firmware and add the extra functionality."

The fifth problem is an input validation error within the router's Web management httpd component. The flaw is in several of the "POST" method handlers of the httpd running on the router's internal interfaces, including, by default, the wireless interface.

"In addition to not checking if authentication has failed until after data supplied by an external user has been processed, there are several places where the Content-Length is assumed to be valid," iDefense said. "In some of those cases, data is read in without error checking while decrementing the length value. If the Content Length is set to a negative number, these checks will take an extremely long time, during which the httpd will become unresponsive."

The advisories specify which versions of the product are affected by the various flaws and outlines the workarounds and fixes.

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close