From dendler@idefense.com Wed Nov 20 14:40:09 2002 From: David Endler To: vulnwatch@vulnwatch.org Date: Tue, 19 Nov 2002 17:57:13 -0500 Subject: [VulnDiscuss] iDEFENSE Security Advisory 11.19.02a: Denial of Service Vulnerability in Linksys Cable/DSL Routers -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 11.19.02a: http://www.idefense.com/advisory/11.19.02a.txt Denial of Service Vulnerability in Linksys Cable/DSL Routers November 19, 2002 I. BACKGROUND Linksys Group Inc. currently sells several broadband router products, including: BEFW11S4, Wireless Access Point Router with 4-Port Switch - Version 2 BEFSR11, EtherFast® Cable/DSL Router BEFSR41, EtherFast® Cable/DSL Router with 4-Port Switch BEFSRU31, EtherFast® Cable/DSL Router with USB and 3-Port Switch More information is available at http://www.linksys.com/products/group.asp?grid=23 . II. DESCRIPTION The BEFW11S4, BEFSR11, BEFSR41 and BEFSRU31 can be crashed when several thousand characters are passed in the password field of the device's web management interface. Exploitation simply requires the use of a web browser that can send long Basic Authentication fields to the affected router's interface. III. ANALYSIS Remote exploitation is only possible if the remote web management interface is enabled (this is disabled by default). An attacker on the internal network can access the web management interface by using a web browser and accessing the URL http://192.168.1.1 (default URL). IV. DETECTION The BEFW11S4, BEFSR11, BEFSR41, and BEFSRU31 devices with firmware earlier than version 1.43.3 are affected. iDEFENSE confirmed susceptibility on the BEFW11S4. Linksys indicated that the BEFSR11, BEFSR41 and BEFSRU31 are also affected. V. WORKAROUND Disable the remote web management interface on the affected router. VI. RECOVERY Cycling power through the affected device should restore normal functionality; pressing the "Reset" button on the router is insufficient. VII. VENDOR FIX Linksys firmware 1.43.3, which is available at http://www.linksys.com/download/, fixes the problem on all the affected devices. VIII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1312 to this issue. IX. DISCLOSURE TIMELINE 11/02/2002 Issue disclosed to iDEFENSE 11/06/2002 Linksys notified (jay.price@linksys.com) 11/11/2002 Linksys response (diana.ying@linksys.com) 11/18/2002 iDEFENSE clients notified 11/19/2002 Public disclosure X. CREDIT Alex S. Harasic (aharasic@terra.cl) discovered this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world ^× from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com. - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPdrA6UrdNYRLCswqEQIlHQCfSWbq62uW/9V6nXX2Hrr0YfPJ40wAoISV DKNMabeYn046qJGNFtmxW5lU =tFYj -----END PGP SIGNATURE-----