Topic: New vulnerabilities in DSL modems: Cisco, Linksys, Belkin, Diamond, OpenWAG etc.

[Samker]

The new year begins as the old year ended: with yet more vulnerabilities turning up in consumer-grade DSL modems.

A broad hint for any broadband user would be, it seems, to never, ever enable any kind of remote access to the device that connects you to the Internet. However, the hack published by Eloi Vanderbeken at github, here: https://github.com/elvanderb/TCP-32764 , resets devices to factory default, enabling a remote attack without the password.

Vanderbeken says the backdoor is confirmed in devices from Cisco (under both Cisco and Linksys brands, the latter since offloaded to Belkin), Netgear, Diamond, LevelOne and OpenWAG. According to a post on HackerNews: https://news.ycombinator.com/item?id=6997159 , the common link between the vulnerable devices is that they were manufactured under contract by Sercomm.

Trying to access a Linksys WAG200G device for which he'd forgotten the password, Vanderbeken noticed the device was listening on Port 32764, an undocumented service noted by other users. Reverse engineering the MIPS code the device's firmware is written in, he says he located a way to send commands to the router without being authenticated as an administrator.

In particular, the backdoor allowed him to brute-force a factory reset without providing a password – meaning that on his next login, he had access to everything.

Vanderbeken's proof-of-concept python code includes reporting on whether the device it's running against is vulnerable or not.

It seems that at least this vulnerability doesn't permit a silent attack: if an outsider ran the code against someone's router, the crash and resulting reset to default passwords would at least alert the victim that something had happened.

(ElReg)

[devnullius]

Good thing for auto firmware updates 

[jheysen]

Yay, my router doesn't have the vulnerability :p
But I fiund it extrange to leave such a big security hole in the FW... maybe it was a test service that slid into production?

[devnullius]

Is there a testlink I overlooked?? Been tabbing like crazy @ the moment...

 

[jheysen]

If you go into the git repo, you can run the python script, or look into the documents and see which models have already been tested and if they were found vulnerable or not, but as I see things, looks like all routers made by that company carry the vulnerability...
Also, look the open letter to journalists.. :p

[devnullius]

Good, I'm not on the list

Thanx for clarification!

[Samker]

Asus is now distributing a firmware update that will change the default security settings on its broadband routers after files on thousands of external hard drives were found easily accessible over the Internet.

The problem was reported last week and stems from how Asus’ routers are configured. Access to an external hard drive that’s been attached to a router’s USB port via FTP can be activated manually or by using a wizard, but both leave the router open by default.

As a result, the files of users in Europe and the U.S. were found accessible via the Internet, according to industry experts and tests conducted by PC World Norway and TechWorld Sweden.

After being questioned about the problem, Asus decided to develop a firmware update to fix the issue, which is now being distributed via its website and the directly from the router user interface.

“The update changes the default security setting from unlimited to limited access rights when setting up a FTP server. This change will ensure that the end user doesn’t leave their FTP server unprotected by mistake and also make it easier to understand the implications of the different security options,” the company said in a statement.

There is now a warning that it’s possible to access files via FTP without entering a password when a user has chosen the limitless access setting, according to Asus.

The update has already been released for the RT-AC68U router: https://www.asus.com/Networking/RTAC68U/#support , and will this week also become available for the RT-AC56U, RT-AC66U, RT-N66U and RT-N16 routers. Remaining routers will be updated next week, Asus said.

(PCW)

[Samker]

Cisco Systems promised to issue firmware updates removing a backdoor from a wireless access point and two of its routers later this month. The undocumented feature could allow unauthenticated remote attackers to gain administrative access to the devices.

The vulnerability was discovered over the Christmas holiday on a Linksys WAG200G router by a security researcher named Eloi Vanderbeken. He found that the device had a service listening on port 32764 TCP, and that connecting to it allowed a remote user to send unauthenticated commands to the device and reset the administrative password.

It was later reported by other users that the same backdoor was present in multiple devices from Cisco, Netgear, Belkin, and other manufacturers (first article - above). On many devices this undocumented interface can only be accessed from the local or wireless network, but on some devices it is also accessible from the Internet.

Cisco identified the vulnerability in its WAP4410N Wireless-N Access Point, WRVS4400N Wireless-N Gigabit Security Router and RVS4000 4-port Gigabit Security Router. The company is no longer responsible for Linksys routers, as it sold that consumer division to Belkin early last year.

The vulnerability is caused by a testing interface that can be accessed from the LAN side on the WRVS4400N and RVS4000 routers and also the wireless network on the WAP4410N wireless access point device.

”An attacker could exploit this vulnerability by accessing the affected device from the LAN-side interface and issuing arbitrary commands in the underlying operating system,” Cisco said in an advisory published Friday. “An exploit could allow the attacker to access user credentials for the administrator account of the device, and read the device configuration. The exploit can also allow the attacker to issue arbitrary commands on the device with escalated privileges”: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd

The company noted that there are no known workarounds that could mitigate this vulnerability in the absence of a firmware update.

The SANS Internet Storm Center, a cyber threat monitoring organization, warned at the beginning of the month that it detected probes for port 32764 TCP on the Internet, most likely targeting this vulnerability: https://isc.sans.edu/diary/Scans+Increase+for+New+Linksys+Backdoor+%2832764TCP%29/17336

(PCW)

[devnullius]

Good to see they are checking up!

[Samker]

Have a Linksys router? Now's a good time to update that firmware

Owners and administrators of Linksys home routers are being advised to update and secure their devices following reports of active attacks on a flaw present in at least two models.

Researchers with the SANS Institutes Internet Storm Center have received reports of mass attacks on a remote access vulnerability in the Linksys E1000 and E1200: https://isc.sans.edu/forums/diary/Suspected+Mass+Exploit+Against+Linksys+E1000+E1200+Routers/17621
The reports, which were noted by an ISP administrator in Wyoming, claim that some customers running the Linksys routers have had their networks compromised.

According to the reports, the compromised routers scanned network traffic rapidly on port 80/8080, saturating available bandwidth, and in some cases their DNS settings were modified.

While the exact nature of the flaw being exploited is not yet known, early speculation is that the issue could be related to components using the home network administration protocol (HNAP).

SANS noted that E1200 routers with the latest 2.0.06 firmware version seemed to be immune to the spotted attacks, but the E1000s – which are no longer supported – were not, even with the most recent firmware installed.

Linksys did not return a request to confirm or comment on the reports.

Dr. Johannes Ullrich, chief research officer with the SANS Institute, told The Reg that in addition to updating firmware, owners and administrators of the vulnerable routers should look to tighten their administrator access controls.

"They should either turn off remote admin functionality, or restrict it to IP addresses from which they need to access the router if they can," Ullrich said.

The report comes not long after word surfaced of other security vulnerabilities found in routers made by Linksys' former parent company, Cisco. Those flaws affected a number of small business products from Cisco, and did not impact any Linksys branded devices.

(ElReg)


Download latest firmware for your Linksys router: http://support.linksys.com/en-eu/support/linksys