<a href="http://theinquirer.net/?article=16298">http://theinquirer.net/?article=16298</a><br /><br />Many of us in here have a Linksys router providing NAT, wireless access, a firewall, DHCP and other things for our personal LANs and WLANs connected to cable or DSL providers. It seems there is an exploit that can erase your router configurations and monitor information in packets you transmit back and forth.<br /><br /><a href="http://target?"><img src="http://www.pocketpcthoughts.com/images/hansberry/redalertstatic.gif" /></a><br /><br />Unfortunately, Linksys, now a part of Cisco, doesn't have a fix or even an acknowledgment of the two week old exploit. :evil: I am totally stumped. What do I do? Unplug it from the internet and dig out my modem?

good thing mine's a dlink

Any more details on this exploit? (not asking to post it, but how about a more in-depth explaination of how it works) Do you have to have anything special enabled to be at risk?

edit: nevermind...guess I should click the link before I comment :oops:

I thought linksys frequently put out firmware updates to counter this type and other types of bugs and problem.

My linksys router became very high maintenance after 1 year of use, requiring constant resets. But my linksys experience doesn't stop there. Of all the boxing day deals I bought, every single rebate (more than a dozen of them in tall) has come back except one linksys rebate.

Now this?

Now that Microsoft has exited the market, where should I turn to when I need more broadband networking gears? Anyone care to make a suggestion?

Blast. I have a BEFSR-41 and have been very happy with it up to now. I had wondered why there were so few updates for it, and now the Inq says this:

At the time of writing this, the last firmware on the Linksys web page for the very popular BEFSR41 routers is 1.45.7, dated June 2003. I remember that Linksys used to update its firmware on a monthly basis, sometimes faster, back in the days it was a small company trying to beat the big guys.

Sadly, after being engulfed by Cisco, the corporate bureaucracy seems to have slowed down its firmware fixing and killed its reaction time. Time for me to look at router alternatives, it seems. Personally, I think a company that doesn't even issue a comment or post a notice on its firmware web page confirming or denying such vulnerability, two weeks after a supposed exploit is in the wild, is a company too busy with itself to care about its customers. µ


Hmmmm my last Linksys perhaps. :?

I contacted Linksys support, they didnt know what I was talking about... exploits etc. I gave them the links... SIGH.

Glad I've got a WRT54g, with custom firmware, and don't use BOOTP to boot (no pun intended)

good thing mine's a dlink

I just ordered a new router friday, glad I went with the dlink instead of linksys...

I would use this as a good opportunity to upgrade to a WRT54G. I also have noticed that Linksys has not touched the code for this router in a long time. That was also a reason (besides having faster local connections) that I decided now was the time. The WRT54G is a very good router (and also doesn't run the same code that this exploit uses according to this article.). In any case, you should always be encrypting thr traffic that needs encrypted like credit card transactions(likely alreayd done for you thanks to SSL) and remote admin sessions thru ssh(your needs may vary). Thats the beauty of Linux on the WRT54G...Linksys may not bring out a patch for a vulnerability, but someone will! :D

I would use this as a good opportunity to upgrade to a WRT54G.
Why? So someone can find a vulnerability in 2006 and Linksys will have abandoned it too? I am gonig to wait and see what their response is to this before I put another LInksys in my house. :?

Did you read his full post? Doesn't matter if Linksys decalres it the devil, there are quite a few firmware distros that add tons of functionality, and a full shell to boot.

Glad I've got a WRT54g, with custom firmware, and don't use BOOTP to boot (no pun intended)

Not that this necessarily applies to you, but for everyone's benefit... You don't have to use BootP on your network for this exploit to affect you. The BootP service is still available on the router. Now, I'm assuming that if you turn off DHCP in the router, then this problem goes away, but then you'll need to manually configure TCP/IP on all of the computers on your network (assuming you don't have another DHCP server on the network). If you DO have an actual server on the network, you should use it for DHCP anyway, since it's always a good idea to keep the firewall server/device as "vanilla" as possible, as it's the only device that is visible to the outside world by design, and will be the first device "hacked." Rule of thumb: Firewalls should only be handling firewall tasks. Move everything else inside.

Glad I've got a WRT54g, with custom firmware, and don't use BOOTP to boot (no pun intended)

Not that this necessarily applies to you, but for everyone's benefit... You don't have to use BootP on your network for this exploit to affect you. The BootP service is still available on the router. Now, I'm assuming that if you turn off DHCP in the router, then this problem goes away, but then you'll need to manually configure TCP/IP on all of the computers on your network (assuming you don't have another DHCP server on the network). If you DO have an actual server on the network, you should use it for DHCP anyway, since it's always a good idea to keep the firewall server/device as "vanilla" as possible, as it's the only device that is visible to the outside world by design, and will be the first device "hacked." Rule of thumb: Firewalls should only be handling firewall tasks. Move everything else inside.
Ah...thanks for the info. Guess I'm not at risk then - I run a WinServer2003 server (trial - g2 love trials ;)) for DHCP. This is a nice alternative to static IPs as I can assign my comp the same IP every time yet not have to make it a static IP. (Only bad thing is since my server is below my router, when the power goes out, it's a pain to get everything back up if you don't turn things on in the right order.)

Hm thanks JT3. Wasn't sure there since I wasn't able to find anything more specific, but the fact I'm running an unaffected router with a completly different DHCP server should put most WRT54g users out in the safe.

I would use this as a good opportunity to upgrade to a WRT54G.
Why? So someone can find a vulnerability in 2006 and Linksys will have abandoned it too? I am gonig to wait and see what their response is to this before I put another LInksys in my house. :?

Ed, the Linksys WRT54G runs Linux. It's open source. Linksys can do whatever the heck they want and as long as people want to use the device, they will. Sveasoft, WiFi-Box and others have very fine REPLACEMENTS for what Linksys provides and they provide functionality that Linksys never intended. Functionality that is already available if you want to build your own Linux box to do it.....but instead of doing the hard thing, do the easy thing. Go buy this fine device and be satisfied that if there's a hole, it will be patched regardless of Linksys schedule. This is the smartest thing that Linksys ever did and I hope Cisco continues this. BTW, interesting stat.....the WRT54G usually has a 206 MHz Strong arm in it.

Let me get this straight...

The linksys routers are vulnerable to this exploit from the WAN/outside side of the router?

And it is vulnerable under what circumstances/configurations?

So the WRT54G is a completely different design that runs Linux and there are open-source replacement firmwares for it?

But the WRT54G is a wireless router... what if I don't need the wireless stuff?

Let me get this straight...

The linksys routers are vulnerable to this exploit from the WAN/outside side of the router?


Yes.


And it is vulnerable under what circumstances/configurations?


When you use DHCP


So the WRT54G is a completely different design that runs Linux and there are open-source replacement firmwares for it?


Yes. I think that previous versions used VxWorks or some other embedded OS other than Linux. When the WRT54G was released, it was not known to run Linux, but some smart folks figured out it did and called Linksys on a GPL violation. Linksys then released the source code.


But the WRT54G is a wireless router... what if I don't need the wireless stuff?

The WRT54G costs around 100. You'd pay just as much if you'd try to just buy a switch. In fact trying to buy just a switch seems to be getting harder now adays.

Real Quick

If you already have a WAP, you can always wire it to a lan port and setup the WAP on a different channel then the WRT54G or ebay what you got. If you don't need or want WiFi now, you may want it in the future. You can always turn thre radio off.[/b]

I don't know about this. The guy who wrote the artical is a little off if nothing else. A dhcp server does not give out bootp addresses. A dhcp server gives out ip addresses using dhcp and a bootp server gives out ip addresses useing bootp. Similar result - dhcp can do a lot more - but the same idea. If any of you remember using slip before ppp was out to dial-in to the internet you may also remember using bootp instead of dhcp to get dynamic ip addresses.

I have a befw11S4 and as far as I can tell it doesn't do bootp. I'd be surprised if any current linksys devices do.

Thank god I moved to Netgear about 2 months ago. My Linksys died on me.

Articles like this really set me off - the thing reads like a spam chain letter. Sheesh - No "unbiased journalism" going on here...

Let me get this straight...

The linksys routers are vulnerable to this exploit from the WAN/outside side of the router?

Yes.

And it is vulnerable under what circumstances/configurations?

When you use DHCP

Forgive me for being argumentative, but huh? Think about what you are saying here - the two responses seem mutually exclusive. Why the hell would any router/firewall be providing a response to any dhcp or bootp request from the WAN side? That's just silly - to even provide a valid response on the WAN side would be a huge fundamental problem for so many reasons. Logically speaking, I highly doubt the exploit is available on the WAN side.

Further, I've read all the materials linked, and I can find nothing that explicity states that the WAN side is vulnerable (though the tone of that inflammatory article sure implies it). Finally, the OSVDB indicates on one of the classification bullets: "Remote/Network Access Required." I read that to mean you would have to be on the LAN side - either physically or via VPN - for this to work.

I really, really think you need to be inside the network (LAN side of router) to make use of this exploit.

That being said, it is still a big problem that needs to be fixed. But, assuming I'm right, this is *not* a situation where script kiddies are scanning the internet, poking holes in your router from the outside.

BTW, I'm also really suspicious that the exploit extends beyond the two routers tested (BEFSR41 and BEFW11S4), but I'll let someone else debunk that.

http://www.addict3d.org/index.php?page=viewarticle&type=security&ID=1228 has a more detailed bug report, as well as code to test the exploit. It gave this as a list of possible vulnerable devices, how ever his only baises was that they have a dhcp server in them.

* Tested on a fully updated Linksys BEFSR41 and BEFW11S4, but
* will likely work on all Linksys devices that have a DHCP
* server. Currently, this looks to include at least the BEFN2PS4,
* BEFSR41, BEFSR81, BEFSX41, RV082, BEFCMU10, BEFSR11, BEFSR41W,
* BEFSRU31, BEFVP41, WRT55AG, WRV54G, WRT51AB

also "The vulnerability has been fixed in firmware version 1.05.00 for BEFSR41 ver3."

I also found an unsigned blog entree on spoofed.org, not sure if this is just a depository of peoples blogs, but the entree was definetly written as if the person who discovered the exploit wrote it, so I dunno if its the guy who found it or not. If it is, he says he has allready worked with linksys and cisco and that he dodnt know when the patch will be released, but that "Linksys' fix was to just ignore BOOTP packets, which isn't the best way, but it works.".

that said, the compleat method this guy described on how he found the exploit was he was using bootp packets on his laptop to get an ip (dhcp IS bootp, but fancier) and it wasnt working right. This denotes that the exploit was done compleatly behind the router, on the lan side., with a trusted connection.

Also with the fact that routers dont (because they cant do anything, its not like you can connect a computer to the router's lan part from over the internet) even send dhcp request info too the internet, I think its safe to say you are only in danger if the person is on the lan side, and of course they have will need the encryption codes for WEP before any readable info can be sent to the dhcp server so wireless is potentialy safe.

also the attack isnt stable. If someone bombards you with packets (as only real real real short term memory is stored in the router, so to get solid bits of info, you need many packets in succsession) the router will lock and need to be reseted.

I'm looking for new home firewall router myself (either with integrated wireless or separate WAP). Something good (hardware endpoint VPN, dialup modem backup/RAS, multi-NAT, access control, specific supports for DDNS, time sync, app profiles, etc) -- without the high $$$ from the likes of SonicWall/WatchGuard/etc.

For integrated wireless router I'd really wanted to combine the features of Netgear's FWAG114 (11a/g) and FWG114P (11g-only but more features). But I'm also leaning towards getting a no-compromise home router (such as D-Link's DFL-300 with the 300MHz NS Geode GX1 platform) and just get a WAP separately.

Picks for integrated wireless (current Buy.com prices):
- Netgear FWG114P -- $157
- Netgear FWAG114 -- $269

Picks without wireless (current Buy.com prices):
- D-Link DFL-300 -- $325
- D-Link DFL-80 -- $192
- Netgear FVS328 -- $178
- Linksys RV082 (Cisco) -- $260

Here's my interim list from last month (prices have dropped a bit):

ROUTERS & WIRELESS (May 2004)
=============================

Review Links:
http://www.pcmag.com/article2/0,1759,1579457,00.asp
http://www.tomsnetworking.com/Reviews.php
http://www.wi-fiplanet.com/reviews (http://www.practicallynetworked.com)
http://www.speedguide.net/reviews.php

Common: SPI firewall, Buy.com prices (free shipping)

Features TBD: multiple mapped IPs (multi-NAT), DNS proxy,
parental control/content filtering, DDNS, time sync, game/app profiles, etc.


Linksys:
--------
- WRT55AG: 4p WiFi-A+G ($250)
- WRV54G: 4p WiFi-G 50-VPN ($180)
- WRT54GS: 4p WiFi-G+, enhanced parental control ($100)

* RV082: 8p 50-VPN, dual-WAN (failover/balancing), multi-NAT (Cisco) ($268)
- BEFVP41: 4p 50-VPN, weak firewall? ($100)
- BEFSX41: 4p 2-VPN ($60)


NetGear:
--------
* FWAG114: 4p WiFi-108A+G 2-VPN, 20Mbps+ WAN ($274)
* FWG114P: 4p WiFi-G 2-VPN, USB printserver, DB9 backup, 56Mbps WAN ($170)
- WGT634U: 4p WiFi-108G, NAS-capable (Amazon $145 + S/H)

- FVL328: 8p 100-VPN, 50Mbps+ WAN ($328 w/ 3 NICs)
* FVS328: 8p 50-VPN, DB9 backup, 50Mbps+ WAN ($182)
- FVS318: 8p 8-VPN ($127 - $10)


D-Link:
-------
- DI-784: 4p WiFi-108A+108G ($148)
- DI-824VUP: 4p WiFi-G 40-VPN, USB/1284 printserver, DB9 backup? ($152)

* DFL-300: 1p+DMZ ?-VPN, traffic-monitoring, multi-NAT, DNS proxy,
many features, 100Mbps WAN ($355)
* DFL-80: 4p+DMZ ?-VPN, traffic-monitoring, multi-NAT, DNS proxy ($210)
- DI-804HV/DI-808HV: 4/8p 40-VPN, DB9 backup? ($57/$91)


SMC:
----

ZyXEL:
------
* Prestige 334(W): 4p ?-VPN, 100Mbps WAN, (WiFi-G) ($73/_ + S/H)

- ZyWALL 30W: 1p 30-VPN, DB9 backup ($358 + S/H)
- ZyWALL 10(II/W): 1p 10-VPN, DB9 backup, 20Mbps WAN ($251/$273)
- ZyWALL 2X(W): 4p 2-VPN, DB9 backup, (WiFi-B) ($143/$222)


SMB: SonicWall / WatchGuard / SnapGear / etc...


=================================================
DESKTOP GIGABIT SWITCHES (May 2004)
===================================
Common: rear ports, Buy.com prices (free shipping)

Linksys:
--------
* SD2005/SD2008: 5/8p, rear ports, compact, lifetime (Cisco) ($95/$154)
- EG005W/EG008W: 5/8p, rear ports, stackable, 2-yr ($106/$162)

D-Link:
-------
- DGS-1005D/DGS-1008D: 5/8p, rear ports, diff sizes, 5-yr ($74/$147)

Thank god I moved to Netgear about 2 months ago.
Ditto :D . I started out with Linksys equipment but slowly changed it all over the past 2 years. I got burnt too many times because of the lack of drivers for Linksys equipment and decided to pull the plug on them. I find that between Netgear and SMC my network needs are taken care of and their equipment works like charm - and installations are also a no brainer. (Last to go was a Linksys print server which I replaced with SMC. I was printing within 10 minutes of opening the box 8) - That's cool hardware and software cooperation.)

Jeff-

I just went to the Linsys site as I have a BEFSR41. Here's the latest info on the firmware:

Ver #. 1.05.00 - Apr. 1,04
1. Fixed multicast issue broadcast on all ports
2. Fixed DHCP vulnerability
3. Fixed inappropriate ARP response from the router
4. Fixed fragmented data arriving to destination in the wrong order. This affected IPSec VPN users
5. Modified web user interface for ease of use
http://www.linksys.com/download/vertxt/Befsr41v3ver.txt
It looks like Linksys has fixed this problem.

I just went to the Linsys site as I have a BEFSR41. Here's the latest info on the firmware:

Ver #. 1.05.00 - Apr. 1,04
1. Fixed multicast issue broadcast on all ports
2. Fixed DHCP vulnerability
3. Fixed inappropriate ARP response from the router
4. Fixed fragmented data arriving to destination in the wrong order. This affected IPSec VPN users
5. Modified web user interface for ease of use
http://www.linksys.com/download/vertxt/Befsr41v3ver.txt
It looks like Linksys has fixed this problem.

If you have a v3 router. It is not there for the normal BEFSR41, nor is it there for any BEFW11S4 version - 2, 3, 3.2 or 4. It does look like they are working on it though.

I only surf for porn so I don't care if somebody watches. Actually, I kinda like the thought of someone watching. 8O

I only surf for porn so I don't care if somebody watches. Actually, I kinda like the thought of someone watching. 8O
:twak: :lilangel: :wink:

If you own a wrt54g and you're using linksys's firmware then you should change your password. More details here (http://www.internetnews.com/infra/article.php/3362321)

If you own a wrt54g and you're using linksys's firmware then you should change your password. More details here (http://www.internetnews.com/infra/article.php/3362321)

You should change your password period. ;)

It's these types of reasons that make me so glad that I went with D-Link. I've heard about more problems with Linksys products than anything and it's made me avoid touching them even with a ten foot pole.

Go buy a D-Link. Problem solved.

Unfortunately, Linksys, now a part of Cisco, doesn't have a fix or even an acknowledgment of the two week old exploit. :evil: I am totally stumped. What do I do? Unplug it from the internet and dig out my modem?You also could go to www.sveasoft.com and download alternative firmware. This guy has performed little miracles with this thing. It is running a fully fledged linux kernel. This firmware has extremely good load balancing (actually it is traffic shaping: you can give some unimportant traffic far less preference) and you can configure the firewall like you want (it is running IPTables!)......

I use it and i never was happier with a WiFi access point.

Jaap

I haven't had a bit of trouble out of my D-Link router.... except a couple of initial hic-cups with my VPN through work. :cry:

But that was quickly corrected with a call to their customer service, I received an email telling me how to configure it for VPN and I was on my way.

Every now and then I will need to reboot the router.... (about 1 time a month) but that is no big deal.

D-Link seems to be the clear winner! :mrgreen:

It's these types of reasons that make me so glad that I went with D-Link. I've heard about more problems with Linksys products than anything and it's made me avoid touching them even with a ten foot pole.

Go buy a D-Link. Problem solved.
Until there's a problem with D-Link routers...oh, but then I suppose you'd say buy netgear - until there's a problem with netgear routers...jeez people, this is just like those saying "I use Linux instead of Windows cause I won't have the stupid Windows problems." - well they have their own linux problems...grow up. You use what you use. Software isn't perfect, but it can change.

D-Link seems to be the clear winner! :mrgreen:
Just because they aren't subject to an exploit right now doesn't mean they are the better router. They may be, but they may not be. As for rebooting your router once a month? I've rebooted my Linksys maybe 5 times in 2 years and at least 2 of those were after storms and/or phone company line maintenance. (DSL here)

Well it seems like Netgear is net up in line for exploits. See here (http://www.securityfocus.com/archive/1/365069) for more details.

Interestingly enough, the wireless on my dear BEFW11S4 decided to stop functioning sometime in the past 24 hours. Rebooting, (hard) resetting, restoring the latest firmware all do not rectify it. :mecry:

Fun with your Linksys Router...

Cringely - The Little Engine That Could (http://www.pbs.org/cringely/pulpit/pulpit20040527.html)

You see, it isn't what the WRT54G does that matters, but what it CAN do when reprogrammed with a different version of Linux with different capabilities.

Cringely - The Little Engine That Could (http://www.pbs.org/cringely/pulpit/pulpit20040527.html)
Dang! You beat me to it. Be sure to catch his follow-up too: Engines of Change (http://www.pbs.org/cringely/pulpit/pulpit20040603.html)

I used to have a Linksys wired router, but it started acting erraticly a while ago and was replaced with a D-Link 802.11b model. The D-Link has worked pretty well, but the configuration interface is horrible—the organization is confusing, and JPEG is used where PNG should have been (and man does it look horrible!). Unless they've really improved this in there recent offerings, there's no way that I'll go for a D-Link again.

This makes me think WEP may help?

http://www.addict3d.org/index.php?page=viewarticle&amp;type=security&amp;ID=1228 has a more detailed bug report, as well as code to test the exploit. It gave this as a list of possible

&lt;snip>

Also with the fact that routers dont (because they cant do anything, its not like you can connect a computer to the router's lan part from over the internet) even send dhcp request info too the internet, I think its safe to say you are only in danger if the person is on the lan side, and of course they have will need the encryption codes for WEP before any readable info can be sent to the dhcp server so wireless is potentialy safe.

also the attack isnt stable. If someone bombards you with packets (as only real real real short term memory is stored in the router, so to get solid bits of info, you need many packets in succsession) the router will lock and need to be reseted.

Well, as soon as someone spots when Linksys issue a patch, can they post it here? Thread reply notifications are so much faster than checking the Linksys website every day. :wink:

Well, as soon as someone spots when Linksys issue a patch, can they post it here? Thread reply notifications are so much faster than checking the Linksys website every day. :wink:
Article about a patch - [neowin (http://www.neowin.net/comments.php?id=20970&category=main)] and [C|NET (http://news.com.com/Linksys+Wi-Fi+router+vulnerability+discovered/2100-7349_3-5226918.html?tag=nefd.top)]

Sure, but those articles are only about a patch for the Linksys WRTS54G 802.11g wireless switch, not the ones the original post here is talking about.

The latest firmware for the BEFSR41 is still 24/06/2003, so no new patch yet. :|

Some patches are trickling out of Linksys.

http://www.linksys.com/download/firmware.asp?fwid=3

That is the BEFSR41 ver. 1 & ver. 2.x/BEFSR11/BEFSRU31

The BEFW11S4 ver.2/2.1/3/3.2 hasn't been updated yet, but it does look like they are working on it.

BEFW11S4 V4 is at http://www.linksys.com/download/firmware.asp?fwid=182

Yup, the Inquirer has a story up about it here (http://www.theinquirer.net/?article=16416).

Fixes include:

Fixed CGI string attacks issue
Fixed UPnP on Windows XP SP2 issue
Fixed One way audio issue
Fixed NAT-T issue for some VPN connection
Fixed DHCP server revision, fill the siaddr to the server address
Fixed DHCP (BOOTP) vulnerability issue
Added Filter IDENT(port 113) to appear stealth when scanned
Added DHCP option 55 support
Fixed buffer leakage bug
Modified TCP Support RFC 3360 standard
Modified PPPoE/L2TP/PPTP fragmentation supports fragmenting 1 packet into more than 3.
Modified MTU/MRU function for better handling