Serious flaw in Linksys wireless AP password security

From: Steve Scherf (bugtraq_at_moonsoft.com)
Date: 08/14/05

Next message: Mandriva Security Team: "MDKSA-2005:139 - Updated gaim packages fix yet more vulnerabilities"

Previous message: colin_at_funkboard.co.uk: "Re: FunkBoard V0.66CF (possibly prior versions) cross site scripting, possible database username/password disclosure & board takeover,possible remote code execution"
Next in thread: Robert Thompson Jr.: "RE: Serious flaw in Linksys wireless AP password security"
Maybe reply: Robert Thompson Jr.: "RE: Serious flaw in Linksys wireless AP password security"
Maybe reply: Robert Thompson Jr.: "RE: Serious flaw in Linksys wireless AP password security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 14 Aug 2005 00:53:24 -0700
To: bugtraq@securityfocus.com

It appears that firmware version 4.50.6 for the Linksys WRT54GS (hardware
version 1) wireless router allows wireless clients to connect and use the
network without actually authenticating. With WPA Personal/TKIP authentication
enabled, the unit allows both clients using encryption with the correct
settings and key, and clients not using any encryption. It disallows clients
attempting to use encryption with the wrong settings and/or key.

In other words, even if you think you've secured your wireless network from
unauthorized access, anyone can access it. It actually shows up as having no
password security on a Macstumbler scan, which is how I noticed the problem.
I verified that anyone can access the network without needing to know the key.

I did not check security modes other than WPA/TKIP. Other modes may have
different behavior. Changing the "Authentication Type" setting had no effect
on this problem. I believe it should be set to "Shared Key", but the setting
used does not appear to matter.

I only verified the problem on firmware 4.50.6. It is unknown if other
firmware versions exhibit the problem. However, at least one older firmware
does not exhibit the problem, as my router functioned correctly until I
updated to 4.50.6.

The problem appears to be fixed in version 4.70.6. No expli*** notice of
this problem or the fix appears in the release notes for version 4.70.6.
Strangely, the "Authentication Type" must be set to "Auto" for the unit to
function properly. Should it be set to "Shared Key", which one might expect
to be the correct value, the wireless functionality appears to be entirely
disabled.

It is unknown if this problem is seen with other hardware versions, or with
other models. I suspect it may, given the similarity between many of the
Linksys models and their firmware.

-- 
Steve Scherf
bugtraq@moonsoft.com

Next message: Mandriva Security Team: "MDKSA-2005:139 - Updated gaim packages fix yet more vulnerabilities"

Previous message: colin_at_funkboard.co.uk: "Re: FunkBoard V0.66CF (possibly prior versions) cross site scripting, possible database username/password disclosure & board takeover,possible remote code execution"
Next in thread: Robert Thompson Jr.: "RE: Serious flaw in Linksys wireless AP password security"
Maybe reply: Robert Thompson Jr.: "RE: Serious flaw in Linksys wireless AP password security"
Maybe reply: Robert Thompson Jr.: "RE: Serious flaw in Linksys wireless AP password security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]