ID

VAR-202001-1158

CVE

CVE-2013-5122

TITLE

Cisco Linksys Authentication vulnerability in router

DESCRIPTION

Cisco Linksys Routers EA2700, EA3500, E4200, EA4500: A bug can cause an unsafe TCP port to open which leads to unauthenticated access. Cisco Linksys The router contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. The affected versions are as follows: Cisco Linksys EA2700 running firmware 1.0.14 Cisco Linksys EA3500 running firmware 1.0.30 Cisco Linksys EA4200 running firmware 2.0.36 Cisco Linksys EA4500 running firmware 2.0.36. Linksys E-series routers are popular router devices. Multiple Linksys E-series routers have multiple security vulnerabilities that allow malicious users to bypass some of the security restrictions: 1. The device fails to properly restrict access to tmUnblock.cgi and hndUnblock.cgi, allowing an attacker to exploit the vulnerability to inject and execute arbitrary shell commands. 2. The device fails to properly restrict access to the console, allowing an attacker to access restricted functionality through the TCP port 8083. ----------------------------------------------------------------------------- Vulnerabilities: An unspecified bug can cause an unsafe/undocumented TCP port to open allowing for: - Unauthenticated remote access to all pages of the router administration GUI, bypassing any credential prompts under certain common configurations - Direct access to several critical system files CVE-ID 2013-5122 CWE-288: Authentication Bypass Using an Alternate Path or Channel CVSS Base Score 10 CVSS Temporal Score 8.1 Exploitability Subscore: 10.0 Affected models and firmware: Linksys SMART Wi-Fi Router N600 - EA2700 Firmware Version: 1.0.14 Linksys SMART Wi-Fi Router N750 Smooth Stream EA3500 Firmware Version: 1.0.30 Linksys Maximun Performance N Router E4200v2 Firmware Version: 2.0.36 Linksys Maximun Performance N Router E4200v2 Firmware Version: 2.0.37 Linksys SMART Wi-Fi N900 Media Stream EA4500 Firmware Version: 2.0.36 Linksys SMART Wi-Fi N900 Media Stream EA4500 Firmware Version: 2.0.37 -Web Server Lighttpd 1.4.28 -Running - Linux 2.6.22 ----------------------------------------------------------------------------- Vulnerability Conditions seen in all variations, though not limited too: - Classic GUI has been enabled/installed - Remote Management - Disabled - UPnP - Enabled - IPv4 SPI Firewall Protection - Disabled Fixes and workarounds: *** It is strongly advised to those that have the classic GUI firmware installed to do a full WAN side scan for unusual ports that are open that weren't specifically opened by the end user. It is recommend to upgrade to firmware 2.1.39 on the E4200v2 and EA4500, though it is uncertain if this resolves the problem in all cases. It is recommend to upgrade to firmware 1.1.39 on the EA2700 and EA3500.though it is uncertain if this resolves the problem in all cases. Vendor: We have been working with Linksys/Belkin Engineers on this problem, and they are still investigating the root cause. We hope to have additional information on this bug soon. ----------------------------------------------------------------------------- External Links Misc: http://www.osvdb.org/show/osvdb/94768 http://www.securityfocus.com/archive/1/527027 http://securityvulns.com/news/Linksys/EA/1307.html http://www.scip.ch/en/?vuldb.9326 http://www.mobzine.ro/ionut-balan/2013/07/vulnerabilitate-majora-in-linksys-ea2700-ea3500-e4200-ea4500/ Vendor product links: http://support.linksys.com/en-us/support/routers/EA2700 http://support.linksys.com/en-us/support/routers/EA3500 http://support.linksys.com/en-us/support/routers/E4200 http://support.linksys.com/en-us/support/routers/EA4500 Discovered - 07-01-2013 Updated - 08-15-2013 Research Contact - K Lovett, M Claunch Affiliation - SUSnet . Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 Vulnerability: Due to an unknown bug, which occurs by every indication during the installation and/or upgrade process, port 8083 will often open, allowing for direct bypass of authentication to the "classic Linksys GUI" administrative console for remote unauthenticated users. If vulnerable, an attacker would have complete control of the routers administrative features and functions. On affected models by simply browsing to: http://<IP>:8083/ a user will be placed into the admin console, with no prompt for authentication. Moreover, by browsing to: http://<IP>:8083/cgi-bin/ the following four cgi scripts (often there are more depending on the firmware and model) can also be found. fw_sys_up.cgi override.cgi share_editor.cgi switch_boot.cgi It has been observed that Port 443 will show as open to external scans when the vulnerability exists, though not all routers with this open port are affected. On the http header for port 8083, for those affected, "Basic Setup" is the only item of note observed. An end user should not rely on the router's GUI interface for the status of remote access, as this bug is present when the console shows remote access as disabled. CVE ID: 2013-5122 CWE-288: Authentication Bypass Using an Alternate Path or Channel CVSS Base Score 10 CVSS Temporal Score 8.1 Exploitability Subscore: 10.0 Timeline: The vendor was first notified of this bug in July 2013, and several follow-up conversations have occurred since that time. Patches/Workaround: No known patches or official fixes exist, though some workaround fixes, including reinstallation of the firmware have been often shown to solve the issue. This is not an official workaround and it is strongly advised to contact Linksys support for additional information. Recommendations: - Scan for an open port 8083 from the WAN side of the router to check for this particular vulnerability. - Since an attacker has access to enable FTP service, USB drives mounted on those routers which have them, should be removed until an official fix is out or vulnerability of the router has been ruled out. Research Contacts: Kyle Lovett and Matt Claunch Discovered - July 2013 Updated - February 2014

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

authorization issue

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

kyle Lovett

SOURCES

LAST UPDATE DATE

2024-11-23T22:29:47.792000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE