Two Linksys routers running SMART Wi-Fi Firmware are still vulnerable to remote attacks

Two models of Linksys routers running SMART Wi-Fi Firmware remain vulnerable to a pair of vulnerabilities recently patched by the company.

Linksys EA2700 and EA3500 are the two routers running Linksys SMART Wi-Fi firmware that are still affected by a couple of vulnerabilities recently patched in different models of the Belkin-owned networking gear.

On October 31th, the US-CERT issued the Vulnerability Note VU#447516 related to the presence of multiple vulnerabilities in Linksys SMART WiFi firmware.

An attacker could remotely exploit both the vulnerabilities to steal user credentials and access to the router settings.

The exploits for vulnerabilities are publicly available since September, a Turkish hacker published on his website the code to remotely hack the EA3500 and EA6500 models. Linksys EA series routers running the Linksys SMART WiFi firmware are affected by multiple flaw.

The researcher Kyle Lovett reported the vulnerabilities in July and Linksys fixed the flaws bugs on October 23th for the network devices included in the following list:

• E4200v2
• EA4500
• EA6200
• EA6300
• EA6400
• EA6500
• EA6700
• EA6900

Linksys is urging his clients to enable automatic updates in the SOHO and consumers models.

“Linksys has an option to have automatic updates, which makes the patches hit far more units than other SOHO models out there,” explained Lovett.

The official advisory released by the US-CERT provided the following descriptions for the vulnerabilities in Linksys SMART WiFi firmware.

CWE-320: Key Management Errors – CVE-2014-8243

An unauthenticated attacker on the local area network (LAN) can read the router’s .htpassword file by requestinghttp(s)://<router_ip>/.htpasswd. The .htpasswd file contains the MD5 hash of the administrator password.

CWE-200: Information Exposure – CVE-2014-8244

A remote, unauthenticated user can issue various JNAP calls by sending specially-crafted HTTP POST requests to http(s)://<router_ip>/JNAP/. Depending on the JNAP action that is called, the attacker may be able to read or modify sensitive information on the router.

It should also be noted that the router exposes multiple ports to the WAN by default. Port 10080 and 52000 both expose the administrative web interface to WAN users. Depending on the model, additional ports may be exposed by default as well.

The CWE-200 is the most critical flaw because an attacker could send specially-crafted HTTP-POST requests to access sensitive data on the routers.

Recently numerous hacking campaigns hit SOHO devices, security experts at Rapid7 recently discovered a security vulnerability in NAT-PMP protocol implementations that puts 1.2 Million SOHO devices at risk.

The exploitation of the flaws could be exploited by bad actors to conduct different malicious activities, most serious and dangerous among them being the ability to redirect traffic to a website controlled by the attackers.

To fix the vulnerabilities in the models included in the list above apply the updates according the instructions provided in the security advisory issued by the US-CERT.

Pierluigi Paganini

Security Affairs –  (SOHO devices, Linksys)