[NEWS] Denial of Service Vulnerability in Linksys Cable/DSL Routers

From: support@securiteam.com
Date: 11/21/02

  • Next message: support@securiteam.com: "[NT] Eudora Script Execution Vulnerability" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 21 Nov 2002 10:54:52 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Denial of Service Vulnerability in Linksys Cable/DSL Routers
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.linksys.com/products/group.asp?grid=23> Linksys Group Inc.
    currently sells several broadband router products, including:
     * BEFW11S4, Wireless Access Point Router with 4-Port Switch - Version 2
     * BEFSR11, EtherFast® Cable/DSL Router
     * BEFSR41, EtherFast® Cable/DSL Router with 4-Port Switch
     * BEFSRU31, EtherFast® Cable/DSL Router with USB and 3-Port Switch

    A vulnerability in the product allows remote attackers to cause it to
    crash.

    DETAILS

    Description:
    The BEFW11S4, BEFSR11, BEFSR41 and BEFSRU31 can be crashed when several
    thousand characters are passed in the password field of the device's web
    management interface. Exploitation simply requires the use of a web
    browser that can send long Basic Authentication fields to the affected
    router's interface.

    Analysis:
    Remote exploitation is only possible if the remote web management
    interface is enabled (this is disabled by default). An attacker on the
    internal network can access the web management interface by using a web
    browser and accessing the URL http://192.168.1.1 (default URL).

    Detection:
    The BEFW11S4, BEFSR11, BEFSR41, and BEFSRU31 devices with firmware earlier
    than version 1.43.3 are affected. iDEFENSE confirmed susceptibility on
    the BEFW11S4. Linksys indicated that the BEFSR11, BEFSR41 and BEFSRU31 are
    also affected.

    Workaround:
    Disable the remote web management interface on the affected router.

    Recovery:
    Cycling power through the affected device should restore normal
    functionality; pressing the "Reset" button on the router is insufficient.

    Vendor fix:
    Linksys firmware 1.43.3, which is available at:
    <http://www.linksys.com/download/> http://www.linksys.com/download/, fixes
    the problem on all the affected devices.

    Disclosure timeline:
    11/02/2002 Issue disclosed to iDEFENSE
    11/06/2002 Linksys notified (jay.price@linksys.com)
    11/11/2002 Linksys response (diana.ying@linksys.com)
    11/18/2002 iDEFENSE clients notified
    11/19/2002 Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:dendler@idefense.com> David
    Endler from iDEFENSE, the vulnerability was discovered by
    <mailto:aharasic@terra.cl> Alex S. Harasic.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages