Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 using
lighttpd 1.4.28 and Utopia on Linux 2.6.22
Firmware Version: 1.0.14 EA2700
Firmware Version: 1.0.30 EA3500
Firmware Version: 2.0.36 E4200
Firmware Version: 2.0.36 EA4500
Impact: - Major
Timeline: - Still awaiting word back from Linksys support. Partial
disclosure at the present due to the impact; Full disclosure in near
future if warranted.
Vulnerabilities:
- Unauthenticated remote access to all pages of the router
administration GUI, bypassing any credential prompts under certain
common configurations (see below)
- Direct access to several other critical files, unauthenticated as well
Vulnerability Conditions seen in all variations:
- Remote Management - Disabled
- UPnP - Enabled
- IPv4 SPI Firewall Protection - Disabled
Although not the same symptoms as the bug that plagues most ASUS
routers that are AiCloud enabled with WebDav, the utilization of both
UPnP and SSL on lighttpd v 1.4.28 appears to be an extremely
problematic combination, exposing certain vulnerabilities to the WAN
side of the router.
Recommendations-
- Disable UPnP
- Enable at minimum the built in IPv4 SPI firewall
- Oddly, in some instances, resetting the password and doing a full
power down reboot has shown to close the vulnerability, but not always
- Disallow remote access from the WAN side - both http and https
- Changing the default user name and password won't help in this case,
but it always bears repeating
- Since an attacker has access to enable FTP service, USB drives
mounted in the router should be removed until a patch is out, or the
full scope of the issue is known
Testing additional firmware is ongoing.
{"id": "SECURITYVULNS:DOC:29510", "bulletinFamily": "software", "title": "Linksys EA - 2700, 3500, 4200, 4500 w/ Lighttpd 1.4.28 Unauthenticated Remote Administration Access", "description": "\r\n\r\nVulnerable products : Linksys EA2700, EA3500, E4200, EA4500 using\r\nlighttpd 1.4.28 and Utopia on Linux 2.6.22\r\n\r\nFirmware Version: 1.0.14 EA2700\r\nFirmware Version: 1.0.30 EA3500\r\nFirmware Version: 2.0.36 E4200\r\nFirmware Version: 2.0.36 EA4500\r\n\r\nImpact: - Major\r\n\r\nTimeline: - Still awaiting word back from Linksys support. Partial\r\ndisclosure at the present due to the impact; Full disclosure in near\r\nfuture if warranted.\r\n\r\nVulnerabilities:\r\n- Unauthenticated remote access to all pages of the router\r\nadministration GUI, bypassing any credential prompts under certain\r\ncommon configurations (see below)\r\n- Direct access to several other critical files, unauthenticated as well\r\n\r\nVulnerability Conditions seen in all variations:\r\n\r\n- Remote Management - Disabled\r\n- UPnP - Enabled\r\n- IPv4 SPI Firewall Protection - Disabled\r\n\r\nAlthough not the same symptoms as the bug that plagues most ASUS\r\nrouters that are AiCloud enabled with WebDav, the utilization of both\r\nUPnP and SSL on lighttpd v 1.4.28 appears to be an extremely\r\nproblematic combination, exposing certain vulnerabilities to the WAN\r\nside of the router.\r\n\r\nRecommendations-\r\n\r\n- Disable UPnP\r\n- Enable at minimum the built in IPv4 SPI firewall\r\n- Oddly, in some instances, resetting the password and doing a full\r\npower down reboot has shown to close the vulnerability, but not always\r\n- Disallow remote access from the WAN side - both http and https\r\n- Changing the default user name and password won't help in this case,\r\nbut it always bears repeating\r\n- Since an attacker has access to enable FTP service, USB drives\r\nmounted in the router should be removed until a patch is out, or the\r\nfull scope of the issue is known\r\n\r\nTesting additional firmware is ongoing.\r\n", "published": "2013-07-08T00:00:00", "modified": "2013-07-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29510", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:48", "edition": 1, "viewCount": 93, "enchantments": {"score": {"value": 1.8, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13156"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13156"]}]}, "exploitation": null, "affected_software": {"major_version": []}, "vulnersScore": 1.8}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645624889, "score": 1659803227, "affected_software_major_version": 1666695388}, "_internal": {"score_hash": "c325ff3de9671f4c280c608e373a0d77"}}