Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtKyle Lovett1337DAY-ID-21913
HistoryFeb 18, 2014 - 12:00 a.m.

Linksys EA2700, EA3500, E4200, EA4500 Authentication Bypass

2014-02-1800:00:00
Kyle Lovett
0day.today
35

0.323 Low

EPSS

Percentile

97.1%

JSON

Linksys products EA2700, EA3500, E4200, and EA4500 suffer from having an unauthenticated interface on port 8083 periodically.

Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500

Vulnerability:
Due to an unknown bug, which occurs by every indication during the
installation and/or upgrade process, port 8083 will often open,
allowing for direct bypass of authentication to the "classic Linksys
GUI" administrative console for remote unauthenticated users.

If vulnerable, an attacker would have complete control of the routers
administrative features and functions.

On affected models by simply browsing to:

http://<IP>:8083/

a user will be placed into the admin console, with no prompt for
authentication. Moreover, by browsing to:

http://<IP>:8083/cgi-bin/

the following four cgi scripts (often there are more depending on the
firmware and model) can also be found.

fw_sys_up.cgi
override.cgi
share_editor.cgi
switch_boot.cgi

It has been observed that Port 443 will show as open to external scans
when the vulnerability exists, though not all routers with this open
port are affected. On the http header for port 8083, for those
affected, "Basic Setup" is the only item of note observed.

An end user should not rely on the router's GUI interface for the
status of remote access, as this bug is present when the console shows
remote access as disabled.

CVE ID: 2013-5122
CWE-288: Authentication Bypass Using an Alternate Path or Channel
CVSS Base Score 10
CVSS Temporal Score 8.1
Exploitability Subscore: 10.0

Timeline:
The vendor was first notified of this bug in July 2013, and several
follow-up conversations have occurred since that time.

Patches/Workaround:
No known patches or official fixes exist, though some workaround
fixes, including reinstallation of the firmware have been often shown
to solve the issue. This is not an official workaround and it is
strongly advised to contact Linksys support for additional
information.

Recommendations:

- Scan for an open port 8083 from the WAN side of the router to check
for this particular vulnerability.
- Since an attacker has access to enable FTP service, USB drives
mounted on those routers which have them, should be removed until an
official fix is out or vulnerability of the router has been ruled out.

Research Contacts: Kyle Lovett and Matt Claunch
Discovered - July 2013
Updated - February 2014

#  0day.today [2018-03-28]  #

Related

prion 1
nvd 1
cve 1
openvas 1
cvelist 1
securityvulns 1
prion
prion
Design/Logic Flaw
2020-01-07 14:15:00
nvd
nvd
CVE-2013-5122
2020-01-07 14:15:10
cve
cve
CVE-2013-5122
2020-01-07 14:15:10
openvas
openvas
Multiple Cisco Linksys Products Security Bypass Vulnerability
2014-06-05 00:00:00
cvelist
cvelist
CVE-2013-5122
2020-01-07 13:29:43
securityvulns
securityvulns
Linksys EA access points authentication bypass
2013-08-20 00:00:00

0.323 Low

EPSS

Percentile

97.1%

JSON
Related for 1337DAY-ID-21913
prion1nvd1cve1openvas1cvelist1securityvulns1