Security researchers have recently uncovered a number of vulnerabilities in popular wireless routers.
The vulnerabilities were discovered in Linksys, D-Link and NETGEAR devices, which collectively comprise a large segment of the market for routers. Security researcher Phil Purviance published details on five Linksys router vulnerabilities last week while Rapid7 added new modules to Metasploit targeting vulnerabilities in embedded Linux-based routers from D-Link, NETGEAR and Linksys.
“During my research process, I thought it would be good to take a look at how…[the devices] did in regards to securing their administration features,” blogged Purviance. “I chose the Linksys EA2700 Network Manager N600 Wi_Fi Wireless-N Router because it is a major brand device, and was recently released in March 2012, making it an easy choice for home users looking for an easy to use home Wi-Fi router. I hooked it up and spent maybe 30 minutes testing the security of the embedded website used to manage the device, then never used it again.”
“It only took 30 minutes,” he added, “to come to the conclusion that any network with an EA2700 router on it is an insecure network!”
The vulnerabilities included a cross-site scripting vulnerability on the router apply.cgi page, a file path transversal vulnerability, a source code disclosure issue, a lack of cross-site forgery and a “password Change Insufficient Authentication and CSRF [cross-site request forgery] Vulnerability” that enables anyone on the same network to change the router’s password and enable remote management.
Cisco completed the sale of its Linksys product line to Belkin International in March. Belkin did not respond to a SecurityWeek request for comment before publication.
In the case of the new Metasploit modules, the issue could enable a malicious attacker to take control of the router and load firmware onto the device – enabling the hacker to become a permanent fixture inside the affected organization.
“Unlike a regular insider, though, the attacker does not have to compromise WEP or WPA encryption — the router will have decrypted the traffic already,” said Tod Beardsley, Metasploit engineering manager. “This means that attacks, such as DNS poisoning, TCP session hijacking, and redirecting requests for automatic patches (AKA “evilgrade” attacks), all become possible and permanent threats.”
According to Beardsley, there are a few things organizations can do to protect their routers.
“First and foremost, change the default password, and if possible, the default username,” he said. “This will make it considerably harder for attackers to simply guess at administrator credentials. Second, many wireless access points (WAP) have an option to disable the management console over the wireless interface. If your WAP has that option, use it. This means that in order to configure and maintain the router, you need to be on a physical, wired connection. Doing this helps mitigate the risk from the Internet-café-style of attacker.”
In addition, organizations should make sure when managing their WAP that they are not vulnerable to cross-site request forgeries or cross-site scripting attacks sourced from malicious, external websites, he said. This can be accomplished by managing the WAP using a browser’s private browsing’ mode to ensure separation in the browser’s session management, he said.
Lastly, organizations should investigate free and open source alternatives to the stock router firmware, such as projects like OpenWRT and DD-WRT.
“Given the level of detail in the various vulnerability disclosures, the Linksys vulnerabilities are trivial to exploit,” Beardsley said.