I. BACKGROUND
Linksys Group Inc.'s EtherFast Cable/DSL Router with 4-Port Switch "is the perfect option to connect multiple PCs to a high-speed Broadband Internet connection or to an Ethernet back-bone. Allowing up to 253 users, the built-in NAT technology acts as a firewall protecting your internal network." More information about it is available at
http://www.linksys.com/products/product.asp?prid=20&grid=23.
II. DESCRIPTIONThe BEFSR41 crashes if a remote and/or local attacker accesses the script Gozila.cgi using the router's IP address with no arguments. Remote exploitation requires that the router's remote management be enabled and that the proper password is supplied. A sample request looks as follows:
http://192.168.1.1/Gozila.cgi?
III. ANALYSIS
Because successful exploitation requires password authentication, exploitation can only occur in two likely scenarios:
1.) The Linksys user is socially engineered into clicking on a link and authenticating to the router (e.g. "Check out this cool Linksys Easter Egg! Click here!")
2.) The Linksys user is logged into the router's web management console, and is the vicitm of a cross site scripting attack which redirects the user to this link.
IV. DETECTIONThis vulnerability affects the BEFSR41 EtherFast Cable/DSL router with firmware earlier than version 1.42.7.
V. RECOVERYPressing the reset button on the back of the router should restore normal functionality.
VI. VENDOR FIXFirmware version 1.42.7 and later fix this problem. Version 1.43, which is the latest available version, can be found at
http://www.linksys.com/download/firmware.asp?fwid=1.
VII. VENDOR RESPONSEThe Linksys 4-Port Cable/DSL Router (BEFSR41) using firmware version prior to
1.42.7 is only suspectible to a remote gozila.cgi script attack when the default setting is reconfigured to enable "Remote Administration." Internal gozila.cgi attacks only take place if a user inadvertently activates a malicious link, file or other form of code, just as an email virus is triggered.
Since Linksys ships all its routers with "Remote Administration" disabled by default, the vulnerability issue raised by iDEFENSE Security Advisory 10.31.02a cannot be executed remotely unless a user has purposely enabled remote access. Other similar products on the market with a "Remote Administration" feature may also prone to security vulnerabilities when remote access is enabled. Internal cgi attacks can best be avoided by not clicking on links or executing programs from untrusted sources.
Linksys encourages its router users to upgrade BEFSR41 router firmware to 1.42.7
or later, and to disable "Remote Administration" whenever the feature is not being
used. All Linksys routers have the "Block WAN Request" feature enabled by default
as another security measure, preventing them from being "pinged," or pinpointed,
on the Internet. Linksys also encourages network users to practice standard security measures regularly, such as changing default passwords on network devices and disabling idle remote access.
The BEFSR41's latest firmware version 1.43 is available for free download at
http://www.linksys.com/download/firmware.asp?fwid=1.
VIII. CVE INFORMATIONThe Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1236 to this issue.
XI. DISCLOSURE TIMELINE
| 08/27/2002 |
Issue disclosed to iDEFENSE |
| 09/12/2002 |
Linksys notified |
| 09/12/2002 |
iDEFENSE clients notified |
| 09/13/2002 |
Response received from maryann.gamboa@Linksys.com |
| 09/19/2002 |
Status request from iDEFENSE |
| 09/20/2002 |
Asked to delay advisory until second level support can respond |
| 10/20/2002 |
No response from second level support, another status request to maryann.gamboa@Linksys.com |
| 10/31/2002 |
Still no response from Linksys, public disclosure |
| 11/06/2002 |
Vendor Response from Andreas Bang, Linksys Product Manage |
X. CREDITJeep 94 (lowjeep94@hotmail.com) is credited with discovering this vulnerability.
