War of words continues over Cisco Linksys router access exploit

Stories of a vulnerability in Linksys consumer routers – the sort of device you might have at home between your family network and your ADSL modem, for example – have been circulating in the past week.

That’s now turned into a low-key war of words.

The fuss started when Croatian security consultancy DefenseCode published a blog article with a video demonstrating a vulnerability it claimed it had found in the Linksys WRT54GL product.

The video shows a program – one that takes no input and produces no output – being run a few times from a Windows command prompt, followed by netcat being used to connect to port 5555, on which a root shell happens to be running.

I didn’t doubt that the vulnerability existed, but I did find the video unconvincing – pointless might be a better word – and needlessly unhelpful. The exploit could have been a batch file running SLEEP 3 for all I could tell.

DefenseCode offered no explanation or annotation of what it had found, and gave no suggestion of a workaround.

The company did, however, find space on its blog to remind us that “Cisco Linksys is a very popular router with more than 70,000,000 routers sold. That’s why we think that this vulnerability deserves attention,” and to point out that it would widely disclose the vulnerability in the next two weeks, “according to our vulnerability disclosure policy.”

I couldn’t find DefenseCode’s vulnerability disclosure policy on the company’s site. If you can, please let us know the URL. You can email us or leave a comment below.

Cisco has been looking into the issue, it seems, because it recently responded to UK web publication The Register to confirm the hole and announce it would be releasing a fix.

Both sides seem to be playing their cards close to their chests, but from the Register piece, Cisco seems to be asserting that:

  • You need to be connected to the internal network of the router to use the exploit.
  • Only the Linux-based WRT54GL version of the product is affected.

If so, this greatly mitigates the risk.

Anyone who can plug a LAN cable into the back of your router already has physical access to it, so they can get a root shell anyway, albeit that it might be more obvious that they’re trying.

So, to run the exploit without physical access, an attacker needs to authenticate to your WiFi network first.

This means that by avoiding WEP and picking a decent password, you should be able to keep unknown assailants out.

Also, the WRT54GL (L stands for Linux) is an old model deliberately reintroduced to the market by Linksys especially for techies, because it has enough RAM on board to let you easily run your own build of Linux.

Later models in the WRT54 range were built down to a price, leaving insufficient RAM for a decent Linux experience. They ship with the VxWorks operating system and VxWorks-based firmware instead of Linux.

In other words, most -GLs are bought specifically to be reflashed with other firmware distros such as OpenWRT, ddWrt or Tomato. So they probably aren’t running Cisco’s vulnerable firmware anyway.

Not to be outdone, DefenseCode has weighed back into the fray, claiming:

Starting a few hours ago, we began a quick analysis as to how many Linksys models might be vulnerable. From what we can tell so far, at least one other (not just the WRT54GL) Linksys model is probably vulnerable.

Moreover, during the analysis we discovered clues that network devices from other manufacturers might also contain the same vulnerability. We are still investigating.

Regarding the Cisco case, we are looking forward to the vulnerability fix. In the meantime, we have again approached them about a few other potential vulnerabilities in the Linksys equipment.

I get the whiff of a “my skillz are better than ur skillz” attitude here, which I don’t really care for, and a bit less of the subjunctive probably, might and potential would be more scientifically helpful, but there you have it.

No need for panic right now, and it seems certain that the exploit can’t be unleashed via the external interface.

Choose a strong WPA password, pick your friends wisely, and keep your eye on the vulnerability disclosure news: all things you probably ought to be doing anyway.