Linksys SMART WiFi firmware contains multiple vulnerabilities

2014-10-31T00:00:00
ID VU:447516
Type cert
Reporter CERT
Modified 2014-11-07T19:15:00

Description

Overview

Linksys EA series routers running the Linksys SMART WiFi firmware contain multiple vulnerabilities.

Description

CWE-320: Key Management Errors - CVE-2014-8243

An remote, unauthenticated attacker can read the router's .htpassword file by requesting http(s)://<router_ip>/.htpasswd. The .htpasswd file contains the MD5 hash of the administrator password.

CWE-200: Information Exposure - CVE-2014-8244

A remote, unauthenticated attacker can issue various JNAP calls by sending specially-crafted HTTP POST requests to http(s)://<router_ip>/JNAP/. Depending on the JNAP action that is called, the attacker may be able to read or modify sensitive information on the router.

It should also be noted that the router exposes multiple ports to the WAN by default. Port 10080 and 52000 both expose the administrative web interface to WAN users. Depending on the model, additional ports may be exposed by default as well.


Impact

A remote, unauthenticated attacker may be able to read or modify sensitive information on the router.


Solution

Apply an Update:

If possible, users are encouraged to update their firmware to the latest version to remediate these vulnerabilities. Linksys has provided the following fix versions:

EA2700 - Ver.1.1.40 (Build 162751)

EA3500 - Ver.1.1.40 (Build 162464)

E4200v2 - Ver.2.1.41 (Build 162351)

EA4500 - Ver.2.1.41 (Build 162351)

EA6200 - Ver.1.1.41 (Build 162599)

EA6300 - Ver.1.1.40 (Build 160989)

EA6400 - Ver.1.1.40 (Build 160989)

EA6500 - Ver.1.1.40 (Build 160989)

EA6700 - Ver.1.1.40 (Build 160989)

EA6900 - Ver.1.1.42 (Build 161129)


Vendor Information

447516

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Linksys Affected

Notified: July 28, 2014 Updated: October 23, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal | 5.3 | E:POC/RL:OF/RC:C
Environmental | 5.3 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • <http://support.linksys.com/en-us/support/routers/E4200>
  • <http://support.linksys.com/en-us/support/routers/EA4500>
  • <http://support.linksys.com/en-us/support/routers/EA6200>
  • <http://support.linksys.com/en-us/support/routers/EA6300>
  • <http://support.linksys.com/en-us/support/routers/EA6400>
  • <http://support.linksys.com/en-us/support/routers/EA6500>
  • <http://support.linksys.com/en-us/support/routers/EA6700>
  • <http://support.linksys.com/en-us/support/routers/EA6900>
  • <http://cwe.mitre.org/data/definitions/310.html>
  • <http://cwe.mitre.org/data/definitions/200.html>

Acknowledgements

Thanks to Kyle Lovett and Sijmen Ruwhof for discovering these vulnerabilities.

This document was written by Todd Lewellen.

Other Information

CVE IDs: | CVE-2014-8243, CVE-2014-8244
---|---
Date Public: | 2014-10-31
Date First Published: | 2014-10-31
Date Last Updated: | 2014-11-07 19:15 UTC
Document Revision: | 39