Linksys EA - 2700, 3500, 4200, 4500 w/ Lighttpd 1.4.28 Unauthenticated Remote Administration Access


Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 using lighttpd 1.4.28 and Utopia on Linux 2.6.22 Firmware Version: 1.0.14 EA2700 Firmware Version: 1.0.30 EA3500 Firmware Version: 2.0.36 E4200 Firmware Version: 2.0.36 EA4500 Impact: - Major Timeline: - Still awaiting word back from Linksys support. Partial disclosure at the present due to the impact; Full disclosure in near future if warranted. Vulnerabilities: - Unauthenticated remote access to all pages of the router administration GUI, bypassing any credential prompts under certain common configurations (see below) - Direct access to several other critical files, unauthenticated as well Vulnerability Conditions seen in all variations: - Remote Management - Disabled - UPnP - Enabled - IPv4 SPI Firewall Protection - Disabled Although not the same symptoms as the bug that plagues most ASUS routers that are AiCloud enabled with WebDav, the utilization of both UPnP and SSL on lighttpd v 1.4.28 appears to be an extremely problematic combination, exposing certain vulnerabilities to the WAN side of the router. Recommendations- - Disable UPnP - Enable at minimum the built in IPv4 SPI firewall - Oddly, in some instances, resetting the password and doing a full power down reboot has shown to close the vulnerability, but not always - Disallow remote access from the WAN side - both http and https - Changing the default user name and password won't help in this case, but it always bears repeating - Since an attacker has access to enable FTP service, USB drives mounted in the router should be removed until a patch is out, or the full scope of the issue is known Testing additional firmware is ongoing.