Linksys Router Flaw Reported
EtherFast model used in homes could expose small networks to crashing by hackers, security firm says.
Paul Roberts, IDG News Service
Monday, November 04, 2002
An easily exploitable software vulnerability in a common home networking router by Linksys Group could expose thousands of home users to denial-of-service attacks, according to a security advisory issued by IDefense, a software security company.
Linksys is one of a number of companies that sell low-priced network gear to small-office and home-office customers. The product, the Linksys BEFSR41 EtherFast Cable/DSL Router, is a low-cost router that allows two or more computers to share an Ethernet or broadband Internet connection.
A security hole in some versions of the software--called "firmware"--used by the router could allow a remote user to cause the device to crash, interrupting Internet service for any PCs attached to it, according to IDefense.
The damage might be slight, because it appears that attackers could only crash the network; and launching such an attack may require access to a PC on the targeted network, the security researchers say. But they recommend that users upgrade the router firmware to version 1.42.7 or later to guard against such an attack. Linksys representatives were not immediately available to comment.
To cause a crash through this vulnerability, an attacker only needs to enter the URL (uniform resource locator) for a CGI (Common Gateway Interface) script used to configure and manage the router without providing any "arguments" (input for the script to process), according to IDefense.
In most situations, the attacker would need to be on a PC connected to the network to execute an attack. However, if the router has a 'remote management' feature enabled, a malicious hacker could execute an attack from anywhere on the Internet by entering the IP address of the router along with the name of the script into his or her Web browser, said the security firm. The researchers also recommended users verify that the router's remote management feature is not enabled.
"An attacker could just scan a [network] subnet for IP addresses belonging to Linksys routers. Once they identified the targeted routers, they could bring them down just using their Web browser," said Sunil James, a senior security engineer at IDefense.
The vulnerability affects BEFSR41 routers using a version of the router firmware earlier than version 1.42.7.
Other Linksys models, including the BEFSR11 and BEFSRU31 routers, may also be affected by the vulnerability, according to James. Those models use the same embedded Web server and firmware software as the BEFSR41, James said. IDefense has not tested the vulnerability on the BEFSR11 or BEFSRU31 router hardware, James added.
Small Damage Likely
Aside from losing Internet connectivity, however, James said that IDefense does not believe the vulnerability would allow attackers to place or execute malicious code on an affected network. Following an attack, users would need to reset the router by pressing a reset button on the back of the device to restore it, according to IDefense.
Denial-of-service (DOS) attacks are usually associated with coordinated efforts by one or more hackers against high-visibility corporate Web sites such as EBay and Microsoft. However, the growing popularity of broadband Internet connections in the U.S., Europe, and Asia has made small-office and home-based computer networks--and attacks that target those networks--common.
A study in 2001 by researchers from the Cooperative Association for Internet Data Analysis at the San Diego Supercomputer Center found that a significant percentage of more than 12,000 DOS attacks the group studied were against home users with broadband Internet connections. Researchers theorized that personal vendettas may have been the motivation for many of those attacks.