DHS warns Linksys ‘SMART wifi’ router firmware exposed to remote attacks

Updated: Linksys has now provided updates for the EA3500 and EA 2700. See below for links to the relevant support pages."

The US Department of Homeland Security (DHS) has raised alarm bells over two Linksys router models that haven’t received security fixes that were released for other routers in July.

The two models in question are the EA2700 and EA3500 routers that Linksys decided didn't patch when it fixed other devices from its EA series three months ago.

Carnegie Mellon University’s computer emergency response team (CERT), a DHS sponsored unit, on Friday drew attention to patches for two flaws affecting 10 Linksys devices running its SMART wifi firmware — a feature introduced in 2012 which allowed owners of Linksys EA series routers to remotely control their home network via a smartphone app.

The problem, which resides in the firmware, is that Linksys only released a fix for eight of the affected devices.

The CERT pointed to two separate flaws affecting SMART wifi firmware that can be exploited locally and remotely.

The first flaw, officially designated as CVE-2014-8243, relates to key management errors in the firmware that potentially expose the router’s password file to an attacker who’s on the same local area network.

“An unauthenticated attacker on the local area network (LAN) can read the router's .htpassword file by requesting http(s):///.htpasswd. The .htpasswd file contains the MD5 hash of the administrator password,” explained Carnegie Mellon’s CERT.

The second flaw, assigned the identifier CVE-2014-8244, is remotely exploitable and may allow an attacker to “read of modify sensitive information on the router”.

“A remote, unauthenticated user can issue various JNAP calls by sending specially-crafted HTTP POST requests to http(s):///JNAP/. Depending on the JNAP action that is called, the attacker may be able to read or modify sensitive information on the router,” the CERT said.

It added that the flaws could be exploited by an attacker on the wide area network (WAN). "[T]he router exposes multiple ports to the WAN by default. Port 100080 and 52000 both expose the administrative web interface to WAN users. Depending on the model, additional ports may be exposed by default as well.".

The DHS notes that information about the vulnerabilities are incomplete as they’re both currently undergoing analysis.

Linksys models affected by the flaws include its EA2700, EA3500, E4200v2, EA4500, EA6200, EA6300, EA6400, EA6500, EA6700, EA6900. Linksys released updates that remedy the flaws in July except the EA2700 and EA3500.

The routers that lack an update were introduced under the Linksys brand in 2012, before Cisco sold Linksys unit to Belkin.

Last April, security researcher Phil Purviance found that the EA2700 model contained multiple flaws the classic firmware that exposed to the devices to attacks through the browser-based admin panel. At the time, Linksys said that the SMART wifi firmware was not affected.

CSO.com.au has asked Linksys whether it will release a fix for the devices and if so when. It will update the story if it receives an answer.

The URLs below link to Linksys' support pages for the two products in different regions.  

Read more: Privileged-account risk multiplies for Australia's cloud-hungry businesses: CyberArk





This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags smartphoneLinksysDHSUS Department of Homeland SecurityCSO Australiadirectors for CSO Australiawifi’ routerEA3500unauthenticatedEA2700>Enex TestLab

Show Comments