Sophos Cloud Optix
Stories of a vulnerability in Linksys consumer routers – the sort of device you might have at home between your family network and your ADSL modem, for example – have been circulating in the past week.
That’s now turned into a low-key war of words.
The fuss started when Croatian security consultancy DefenseCode published a blog article with a video demonstrating a vulnerability it claimed it had found in the Linksys WRT54GL product.
The video shows a program – one that takes no input and produces no output – being run a few times from a Windows command prompt, followed by netcat being used to connect to port 5555, on which a root shell happens to be running.
I didn’t doubt that the vulnerability existed, but I did find the video unconvincing – pointless might be a better word – and needlessly unhelpful. The exploit could have been a batch file running SLEEP 3 for all I could tell.
DefenseCode offered no explanation or annotation of what it had found, and gave no suggestion of a workaround.
The company did, however, find space on its blog to remind us that “Cisco Linksys is a very popular router with more than 70,000,000 routers sold. That’s why we think that this vulnerability deserves attention,” and to point out that it would widely disclose the vulnerability in the next two weeks, “according to our vulnerability disclosure policy.”
I couldn’t find DefenseCode’s vulnerability disclosure policy on the company’s site. If you can, please let us know the URL. You can email us or leave a comment below.
Cisco has been looking into the issue, it seems, because it recently responded to UK web publication The Register to confirm the hole and announce it would be releasing a fix.
Both sides seem to be playing their cards close to their chests, but from the Register piece, Cisco seems to be asserting that:
- You need to be connected to the internal network of the router to use the exploit.
- Only the Linux-based WRT54GL version of the product is affected.
If so, this greatly mitigates the risk.
Anyone who can plug a LAN cable into the back of your router already has physical access to it, so they can get a root shell anyway, albeit that it might be more obvious that they’re trying.
So, to run the exploit without physical access, an attacker needs to authenticate to your WiFi network first.
This means that by avoiding WEP and picking a decent password, you should be able to keep unknown assailants out.
Also, the WRT54GL (L stands for Linux) is an old model deliberately reintroduced to the market by Linksys especially for techies, because it has enough RAM on board to let you easily run your own build of Linux.
Later models in the WRT54 range were built down to a price, leaving insufficient RAM for a decent Linux experience. They ship with the VxWorks operating system and VxWorks-based firmware instead of Linux.
In other words, most -GLs are bought specifically to be reflashed with other firmware distros such as OpenWRT, ddWrt or Tomato. So they probably aren’t running Cisco’s vulnerable firmware anyway.
Not to be outdone, DefenseCode has weighed back into the fray, claiming:
Starting a few hours ago, we began a quick analysis as to how many Linksys models might be vulnerable. From what we can tell so far, at least one other (not just the WRT54GL) Linksys model is probably vulnerable.
Moreover, during the analysis we discovered clues that network devices from other manufacturers might also contain the same vulnerability. We are still investigating.
Regarding the Cisco case, we are looking forward to the vulnerability fix. In the meantime, we have again approached them about a few other potential vulnerabilities in the Linksys equipment.
I get the whiff of a “my skillz are better than ur skillz” attitude here, which I don’t really care for, and a bit less of the subjunctive probably, might and potential would be more scientifically helpful, but there you have it.
No need for panic right now, and it seems certain that the exploit can’t be unleashed via the external interface.
Choose a strong WPA password, pick your friends wisely, and keep your eye on the vulnerability disclosure news: all things you probably ought to be doing anyway.
I would practically act as a salesman at computer stores with my recommending this router to customers looking at newer models. It is among my most satisfying purchases of all time (for its intended use). Mine has worked so flawlessly and so smartly that I may never get myself to switch. (True, I am intrigued by the ability of current models to prioritize certain streams such as video.)
I completely agree with you that this exploit was not as serious as DefenseCode seemed to claim. I had the same reaction when I read about it. I would like to point out that even WiFi networks using WPA now have an exploit – announced in Dec. 2011. It involves a brute force attack on the WPS key. If you’re lucky enough to have a router still supported by firmware updates, then there is now probably an update available that will allow you to turn off WPS or at least limit the number of WPS attempts.
The author of this article falsely assumes an attacker would need to plug a cable into your router or connect to your wifi in order to use this exploit. I thought it obvious that an attacker could spread malware that could download this exploit as an additional module which could then be used to gain access to the router. While I'm certain this make/model was designed for home use I'm dead certain there are PLENTY of small businesses or satellite offices of larger companies using this router too.
I see what you're saying…but, technically speaking I'm still in the clear 🙂 If the malware infects a computer that is on the internal network, I'd say that makes the internal PC into the attacker ("being the attacker" is transitive) and so it still needs to be plugged in or connected via WiFi to do its dirty work.
But you're right. You can attack networked equipment from inside very effectively with malware. (Ask those guys whose nuclear centrifuges got infected 🙂
I do know people who have bought job lots of WRT54s for business purposes – e.g. very basic branch office or telecommuter security – but they didn't keep the Linksys firmware. I don't know what percentage of used-for-business WRT54s are running non-Linksys firmware, however.
There were five models of the WRT54G (not GL). The first four used the Linux code. The fifth one was the cost-reduced model with reduced RAM, running VxWorks. Due to consumer complaints, a model (probably exactly the fourth version) was released as the WRT54GL.
The result of this is that there are two classes of owners affected:
1) Owners of the first four versions of the WRT54G, who are probably not technically sophisticated and are not likely to have modified the shipped firmware.
2) Owners of the WRT54GL, who have probably installed a different build, as the article suggests.
There are a lot of owners in the first category out there as DefenseCode seems to be suggesting.
Cisco's reply to The Register explicitly said "-GL only is affected." So it doesn't seem to be whether the router runs Linux, but whether it is a -GL (though of course those run Linux).
DefenseCode is now counterclaiming that it might, after all, work on some other models, but the company's latest statement is so vague as to be useless: "From what we can tell so far, at least one other (not just the WRT54GL) Linksys model is probably vulnerable."
So it might be vulnerable, but we're not going to say which one. Humph.
I've used the WPS cracking trick on a test router that I had disabled WPS on, it still worked. This was probably a 2 year old linksys, not sure of the model as I'm not in my office. But from what I've read/experienced, with certain routers even disabling WPS is not enough. If the functionality is built in, it's vulnerable.
I have a WRT54G2; should I be concerned? I am not technically sophisticated.
It's not yet clear. Cisco are saying it's the -GL only.
DefenseCode have then come back and said, "Maybe it's at least one of the other models as well," but sill don't seem sure and anyway won't say which model it is.
Sorry we can't be more specific at the moment 🙂
Paul,
I'm always a little dubious of statements from nontechnical corporate "spokespersons."
As you know, Linux is open source and each commercial user is required to make his modifications available on demand. A decade ago the enthusiasts demanded this of Linksys (see http://www.wi-fiplanet.com/tutorials/article.php/…. I've downloaded and inspected various levels in the past.
The entire range of Linksys WRT54Gxx models are cataloged here: http://en.wikipedia.org/wiki/WRT54G .
DefenseCode or Sophos could download all the versions and determine whether the affected code is unchanged in all of them and give a definitive answer to this question.
I think that's DefenseCode's job, wouldn't you say? They're the ones claiming that there is a vuln on -GLs and only that there might be one on other models.
And they're the ones (along with Cisco) who actually have the exploit code…so they're the ones who could/should be checking "the affected code".
Remember that the rest of us don't yet know which is the affected code to look to see whether it's been changed or not.
Thank you, Paul. I'll keep my ears tuned to future comments.
"Anyone who can plug a LAN cable into the back of your router already has physical access to it, so they can get a root shell anyway"
Not really. What about the perfectly common "router locked in a closet but network jacks accessible to anyone on the premises" scenario? Lots of people have what amounts to physical access to router ports without having physical access to the routers themselves.
Point taken. Remember, though, that we're talking about WTR54s here.
The switch ports are on the back (both WAN and LAN), and they're not made for mounting in a rack or a secure cabinet. They're frequently found in a spare bedroom, or under a desk, or stashed in a corner somewhere.
How about, "For almost all WTR54s in active service, it's reasonable to say that anyone who could plug in a LAN cable could do pretty much what they wanted to it, from taking it home with them, all the way to soldering in a JTAG socket and recovering it from a bricked state."
had the same reaction when I read about it. I would like to point out that even WiFi networks using WPA now have an exploit – announced in Dec. 2011.
Linksys Troubleshooting Call us : 1-855-359-6510
Well I don't have Linksys for any of my network setups. But I can't really take a group/company [DefenseCode] seriously when their responses make them sound less and less credible with every word.