Linksys router vulnerability

Status
Not open for further replies.
"The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware."

http://windowsitpro.com/security/update-linksys-router-worm-fix-and-further-actions
 
There are a few "solutions" noted in the linked article:

https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633

1. Make sure remote admin is turned OFF on the router. This should prevent the attack from working, as it connects on the remote admin port of 8080.

2. I think this is genius in its simplicity (it was suggested by one of the comment folks pktman):

Originally Posted By: pktman
I have found that on most of these SOHO routers with HNAP, that disabling remote administration doesn't disable the router from answering HNAP1 requests on the WAN side. Have sent more than a few emails to a few manufactures who replied that devices where functioning "as designed".

I don't like anything like that allowing attackers to probe my systems for information or potentially compromise them. In the absence of anyway to disable this in firmware the only reliable way I have found is to enable port forwarding and forward the traffic into the abyss. To make this safe you need to setup DHCP on your LAN side to not allocate certain addresses. Then port forward the incoming port 80/443 traffic to an ip that isn't assigned to anything.

For example if your routers internal LAN IP is 192.168.1.1, setup DHCP to allocate only 192.168.1.5-192.168.1.250. Then set up port forwarding rules so that incoming traffic to port TCP port 80 and TCP port 443 on the WAN side of your router gets forwarded to 192.168.1.2.

Its not pretty, its not ideal. But on the devices i have tried, it has at least made port 80/443 go dark to the WAN as the SYN's just go into nothingness.


Note that responding to the HNAP1 requests doesn't by itself denote a vulnerability. But it is indeed the router responding to a request for information, vulnerable or not. His solution above prevents this (the response to the HNAP1 requests), essentially blackholing these requests for information.
 
interesting i have the e2000 as my backup router.
If its flashed with dd-wrt/tomato etc.. does that nullify this vulnerability?

note: I always keep remote admin off.

If I need to change something I can always logmein to the persons computer to change it. Not ideal but functional.

the router is currently at the parents.. replacing their DOA replacement router

(their router went dead, replacement was DOA)

It has tomato on it.
 
Originally Posted By: Rand
interesting i have the e2000 as my backup router.
If its flashed with dd-wrt/tomato etc.. does that nullify this vulnerability?

note: I always keep remote admin off.

If I need to change something I can always logmein to the persons computer to change it. Not ideal but functional.

the router is currently at the parents.. replacing their DOA replacement router

(their router went dead, replacement was DOA)

It has tomato on it.


No, it only affects some versions of the OEM firmware, if you are using aftermarket you are fine.
 
Originally Posted By: daman
Is this threat only on Linksys?


At this point, yes. Though Linksys routers aren't the only ones that respond to the request, so there may be similar exploits that appear for other brands potentially working in a similar manner.
 
Originally Posted By: daman
Boy here's another! I'm going to unplug the router and run earthnet cable.

http://arstechnica.com/security/2014/02/...exploited-flaw/


Yup, isn't consumer-realm gear fun? LOL!

There's a reason I run a Cisco ASA as my perimeter device, LOL!
wink.gif
 
Originally Posted By: Colt45ws
Hardened Gentoo linux on my router PC.


Yup. An easier choice for a home user is a PFSense box, that's my favourite free firewall distro. And it is well maintained.
 
Originally Posted By: OVERKILL
Originally Posted By: Colt45ws
Hardened Gentoo linux on my router PC.


Yup. An easier choice for a home user is a PFSense box, that's my favourite free firewall distro. And it is well maintained.

Yes. I like the configurability of what I have, but that is better for someone who would want to try using a PC.
 
Originally Posted By: Colt45ws
Originally Posted By: OVERKILL
Originally Posted By: Colt45ws
Hardened Gentoo linux on my router PC.


Yup. An easier choice for a home user is a PFSense box, that's my favourite free firewall distro. And it is well maintained.

Yes. I like the configurability of what I have, but that is better for someone who would want to try using a PC.


Exactly. Somebody just looking to swap out their generic consumer router for something more robust is better served IMHO using something like IPCop, PFSense, Smoothwall....etc.
 
I have Tomato on WRT54G as well, so no issues on our end.

The only problem I have is that WRT54G, although extremely reliable (rebuilt once), but it's getting slow now...currently working @ my parent's house.

Q.
 
Originally Posted By: 97tbird
I have Tomato on my WRT 54GL so I guess I am ok...(?)

You're fine. WRT54 wasn't on the list of affected models.
 
Status
Not open for further replies.

Similar threads

OVERKILL
The Dragon who sold his Camaro: Analyzing custom router implant
2
Replies
23
Views
855
Rand
OVERKILL
Fortinet gets owned... again
Replies
8
Views
743
mk378
wavinwayne
Not getting the internet speed I pay for
4 5 6
Replies
110
Views
3K
Skippy722
OVERKILL
Tapo (TP-Link) Smart Bulbs and apps can be hacked to compromise your home network
Replies
14
Views
510
OVERKILL
Brons2
Ubiquiti AP firmware - any recommendations?
Replies
11
Views
774
Rand
Back
Top