iDEFENSE Security Advisory 11.19.02a: Denial of Service Vulnerability in Linksys Cable/DSL Routers

From: David Endler (dendler@idefense.com)
Date: 11/19/02

  • Next message: Dave Ahmad: "CERT Advisory CA-2002-32 Backdoor in Alcatel OmniSwitch AOS (fwd)" 
    From: "David Endler" <dendler@idefense.com>
To: bugtraq@securityfocus.com
Date: Tue, 19 Nov 2002 17:57:13 -0500

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 11.19.02a:
    http://www.idefense.com/advisory/11.19.02a.txt
    Denial of Service Vulnerability in Linksys Cable/DSL Routers
    November 19, 2002

    I. BACKGROUND

    Linksys Group Inc. currently sells several broadband router products,
    including:

    BEFW11S4, Wireless Access Point Router with 4-Port Switch - Version 2
    BEFSR11, EtherFast® Cable/DSL Router
    BEFSR41, EtherFast® Cable/DSL Router with 4-Port Switch
    BEFSRU31, EtherFast® Cable/DSL Router with USB and 3-Port Switch

    More information is available at
    http://www.linksys.com/products/group.asp?grid=23 .

    II. DESCRIPTION

    The BEFW11S4, BEFSR11, BEFSR41 and BEFSRU31 can be crashed when
    several thousand characters are passed in the password field of the
    device's web management interface. Exploitation simply requires the
    use of a web browser that can send long Basic Authentication fields
    to the affected router's interface.

    III. ANALYSIS

    Remote exploitation is only possible if the remote web management
    interface is enabled (this is disabled by default). An attacker on
    the internal network can access the web management interface by using
    a web browser and accessing the URL http://192.168.1.1 (default URL).

    IV. DETECTION

    The BEFW11S4, BEFSR11, BEFSR41, and BEFSRU31 devices with firmware
    earlier than version 1.43.3 are affected. iDEFENSE confirmed
    susceptibility on the BEFW11S4. Linksys indicated that the BEFSR11,
    BEFSR41 and BEFSRU31 are also affected.

    V. WORKAROUND

    Disable the remote web management interface on the affected router.

    VI. RECOVERY

    Cycling power through the affected device should restore normal
    functionality; pressing the "Reset" button on the router is
    insufficient.

    VII. VENDOR FIX

    Linksys firmware 1.43.3, which is available at
    http://www.linksys.com/download/, fixes the problem on all the
    affected devices.

    VIII. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    assigned the identification number CAN-2002-1312 to this issue.

    IX. DISCLOSURE TIMELINE

    11/02/2002 Issue disclosed to iDEFENSE
    11/06/2002 Linksys notified (jay.price@linksys.com)
    11/11/2002 Linksys response (diana.ying@linksys.com)
    11/18/2002 iDEFENSE clients notified
    11/19/2002 Public disclosure

    X. CREDIT

    Alex S. Harasic (aharasic@terra.cl) discovered this vulnerability.

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listserv@idefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world — from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com.

    - -dave

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendler@idefense.com
    www.idefense.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.2
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2Asp;<a href="mailto:security-alert@sun.com?subject=Re:%2iQA/AwUBPdrA6UrdNYRLCswqEQIlHQCfSWbq62uW/9V6nXX2Hrr0YfPJ40wAoISV

    iQA/AwUBPdrA6UrdNYRLCswqEQIlHQCfSWbq62uW/9V6nXX2Hrr0YfPJ40wAoISV
    DKNMabeYn046qJGNFtmxW5lU
    =tFYj
    -----END PGP SIGNATURE-----