Linksys EA - 2700, 3500, 4200, 4500 w/ Lighttpd 1.4.28 Unauthenticated Remote Administration Access

2013-07-08T00:00:00

Description

Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 using lighttpd 1.4.28 and Utopia on Linux 2.6.22 Firmware Version: 1.0.14 EA2700 Firmware Version: 1.0.30 EA3500 Firmware Version: 2.0.36 E4200 Firmware Version: 2.0.36 EA4500 Impact: - Major Timeline: - Still awaiting word back from Linksys support. Partial disclosure at the present due to the impact; Full disclosure in near future if warranted. Vulnerabilities: - Unauthenticated remote access to all pages of the router administration GUI, bypassing any credential prompts under certain common configurations (see below) - Direct access to several other critical files, unauthenticated as well Vulnerability Conditions seen in all variations: - Remote Management - Disabled - UPnP - Enabled - IPv4 SPI Firewall Protection - Disabled Although not the same symptoms as the bug that plagues most ASUS routers that are AiCloud enabled with WebDav, the utilization of both UPnP and SSL on lighttpd v 1.4.28 appears to be an extremely problematic combination, exposing certain vulnerabilities to the WAN side of the router. Recommendations- - Disable UPnP - Enable at minimum the built in IPv4 SPI firewall - Oddly, in some instances, resetting the password and doing a full power down reboot has shown to close the vulnerability, but not always - Disallow remote access from the WAN side - both http and https - Changing the default user name and password won't help in this case, but it always bears repeating - Since an attacker has access to enable FTP service, USB drives mounted in the router should be removed until a patch is out, or the full scope of the issue is known Testing additional firmware is ongoing.

{"id": "SECURITYVULNS:DOC:29510", "bulletinFamily": "software", "title": "Linksys EA - 2700, 3500, 4200, 4500 w/ Lighttpd 1.4.28 Unauthenticated Remote Administration Access", "description": "\r\n\r\nVulnerable products : Linksys EA2700, EA3500, E4200, EA4500 using\r\nlighttpd 1.4.28 and Utopia on Linux 2.6.22\r\n\r\nFirmware Version: 1.0.14 EA2700\r\nFirmware Version: 1.0.30 EA3500\r\nFirmware Version: 2.0.36 E4200\r\nFirmware Version: 2.0.36 EA4500\r\n\r\nImpact: - Major\r\n\r\nTimeline: - Still awaiting word back from Linksys support. Partial\r\ndisclosure at the present due to the impact; Full disclosure in near\r\nfuture if warranted.\r\n\r\nVulnerabilities:\r\n- Unauthenticated remote access to all pages of the router\r\nadministration GUI, bypassing any credential prompts under certain\r\ncommon configurations (see below)\r\n- Direct access to several other critical files, unauthenticated as well\r\n\r\nVulnerability Conditions seen in all variations:\r\n\r\n- Remote Management - Disabled\r\n- UPnP - Enabled\r\n- IPv4 SPI Firewall Protection - Disabled\r\n\r\nAlthough not the same symptoms as the bug that plagues most ASUS\r\nrouters that are AiCloud enabled with WebDav, the utilization of both\r\nUPnP and SSL on lighttpd v 1.4.28 appears to be an extremely\r\nproblematic combination, exposing certain vulnerabilities to the WAN\r\nside of the router.\r\n\r\nRecommendations-\r\n\r\n- Disable UPnP\r\n- Enable at minimum the built in IPv4 SPI firewall\r\n- Oddly, in some instances, resetting the password and doing a full\r\npower down reboot has shown to close the vulnerability, but not always\r\n- Disallow remote access from the WAN side - both http and https\r\n- Changing the default user name and password won't help in this case,\r\nbut it always bears repeating\r\n- Since an attacker has access to enable FTP service, USB drives\r\nmounted in the router should be removed until a patch is out, or the\r\nfull scope of the issue is known\r\n\r\nTesting additional firmware is ongoing.\r\n", "published": "2013-07-08T00:00:00", "modified": "2013-07-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29510", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:48", "edition": 1, "viewCount": 93, "enchantments": {"score": {"value": 1.8, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13156"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13156"]}]}, "exploitation": null, "affected_software": {"major_version": []}, "vulnersScore": 1.8}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645624889, "score": 1659803227, "affected_software_major_version": 1666695388}, "_internal": {"score_hash": "c325ff3de9671f4c280c608e373a0d77"}}