The Lynksys E4200 V2 dual band router contains a vulnerability that an attacker could exploit, bypassing the Web panel authentication mechanism and gaining administrative privileges on affected devices.
Linksys has provided a firmware update that resolves the vulnerability. However, as is nearly always the case with router vulnerabilities, users of affected devices must surf to the Linksys E4200 webpage and download and install the firmware manually. The researcher that disclosed the bug claims the problem is further worsened because Linksys has not informed customers about the bug or the fix for it.
Independent security researcher Jordan Bradley claims the bug is caused by the router’s ability to listen on port 8083.
Independent security researcher Jordan Bradley claims the bug is caused by the router’s ability to listen on port 8083 with the same interface as on port 80. This is significant because accessing the device through port 8083 completely circumvents the HTTPS authentication process and grants administrative privileges on that device.
Beyond the internal impact of giving an attacker full admin privileges on affected E4200 routers, the bug has potential external implications as well. The device could be exposed to the broader Internet if the network controller had some DMZ or forwarding rules enabled.
Bradley notes that the problem is exacerbated by a broken firmware-checking feature. The device he tested this bug on purported to have what was at the time the latest firmware version installed. In reality though, it was running an older version. The newest version of the device’s firmware – the one that resolves the bypass bug – is also said to fix the firmware version recognition problem. The researcher says that there is no indication of that second fix in the firmware changelog.
“As part of a responsible disclosure process, I contacted Linksys February 12th,” Bradley writes. “It took a few weeks before they took me seriously, but then responded and asked me to do more testing. I did and gave them the results, of which they committed to releasing a CVE for this.”
He then waited four months, in which he claims he regularly reached out to Linksys, before disclosing the bug publicly yesterday.
In an update, he notes that the same vulnerability was uncovered earlier by independent researcher Kyle Lovett.