[NEWS] Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router

From: support@securiteam.com
Date: 11/03/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 3 Nov 2002 12:55:25 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL
Router
------------------------------------------------------------------------

SUMMARY

 <http://www.linksys.com/products/product.asp?prid=20&grid=23> Linksys
Group Inc.'s EtherFast Cable/DSL Router with 4-Port Switch is the perfect
option to connect multiple PCs to a high-speed Broadband Internet
connection or to an Ethernet back-bone. Allowing up to 253 users, the
built-in NAT technology acts as a firewall protecting your internal
network. A remote attacker can cause the product to crash by requesting a
malformed HTTP CGI request.

DETAILS

The BEFSR41 crashes if a remote and/or local attacker accesses the script
Gozila.cgi using the router's IP address with no arguments. Remote
exploitation requires that the router's remote management be enabled. A
sample exploit looks as follows:

http://192.168.1.1/Gozila.cgi?

Analysis:
Exploitation may be particularly dangerous, especially if the router's
remote management capability is enabled. An attacker can trivially crash
the router by directing the URL above to its external interface. In
general, little reason exists to allow the web management feature to be
accessible on the external interface of the router. It is feasible that
this type of vulnerability exists in older firmware versions in other
Linksys hardware.

Detection:
This vulnerability affects the BEFSR41 EtherFast Cable/DSL router with
firmware earlier than version 1.42.7.

Recovery:
Pressing the reset button on the back of the router should restore normal
functionality.

Workaround:
Ensure the remote web management feature is disabled, if unnecessary.

Vendor fix:
Firmware version 1.42.7 and later fix this problem. Version 1.43, which is
the latest available version, can be found at
<http://www.linksys.com/download/firmware.asp?fwid=1>
http://www.linksys.com/download/firmware.asp?fwid=1.

Disclosure timeline:
08/27/2002 Issue disclosed to iDEFENSE
09/12/2002 Linksys notified
09/12/2002 iDEFENSE clients notified
09/13/2002 Response received from maryann.gamboa@Linksys.com
09/19/2002 Status request from iDEFENSE
09/20/2002 Asked to delay advisory until second level support can respond
10/20/2002 No response from second level support, another status request
to maryann.gamboa@Linksys.com
10/31/2002 Still no response from Linksys, public disclosure

ADDITIONAL INFORMATION

The information has been provided by <mailto:dendler@idefense.com> David
Endler of iDEFENSE, the vulnerability was discovered by
<mailto:lowjeep94@hotmail.com> Jeep 94.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.