Critical security flaws have been discovered in widely used wired and wireless networking products from Linksys Group and Netgear that would allow someone to crash or gain control of business and consumer networks.
Researcher Tom Knienieder late last week discovered that Netgear's WG602 (version 1) 802.11g-compatible wireless LAN access point contains a hard-wired user account with a known password. Any user with access to a LAN with an affected WG602 device connected to it would be able to gain full administrator access to the device, Knienieder said. Attackers could also gain access to the device through a WAN if the access point is set up to allow remote administration, but this goes against best practices for security, researchers said.
The "back-door" user account cannot be disabled, and Netgear has not released an upgrade to the WG602 firmware to fix the problem, researchers said. Security firm Secunia recommended users either switch to another product or restrict access to the Web-based administrator interface, for example making it accessible only from a dedicated administrator machine.
Security experts said the creation of the back-door was "very irresponsible". "It reportedly isn't possible for the user to change the password, thus making it harder for the user to mitigate the threat," Secunia's Jakob Balle told Techworld.
But observers have questioned the responsibility of Secunia and other security companies in putting the username and password in the public domain by listing both for a variety of releases in their advisories. The problem has been confirmed in all WG602v1 firmware releases after 1.04.0. A newer release of the WG602 hardware, version 2, does not seem to be affected, according to Secunia.
"Any user logging in with the username '(*)' and the password '(*)' is in complete control of the device," wrote Knienieder. "This vulnerability can be exploited by any person who is able to reach the Web interface of the device with a Web browser."
Knienieder, of Germany's Khamsin Security, published his original advisory on the BugTraq mailing list. Secunia has also published an advisory.
The hardwired administrative account was apparently built into the access point by a Taiwan hardware developer called Z-com Inc., according to Knienieder, raising the possibility that other hardware manufactured using Z-com designs may include the same vulnerability. Knienieder said the numerical password appeared to be the telephone number of Z-com's Taiwan offices.
Secunia defended its decision to publish the back-door username and password, arguing that the information can be easily extracted from the device. "It does not pose a larger risk to the affected users that this information is already available," said Balle. "Furthermore, when the username and password is public knowledge, it gives the affected users a chance to test their own system, and see for themselves what this vulnerability could result in, and perhaps even helping them to take mitigating steps."
Linksys denial-of-service flaw
Two separate types of critical flaws have cropped up in Linksys' BEF series of routers, one of which also affects the Linksys WRT54G Wireless-G Broadband Router. One attack can cause denial-of-service while the other makes it impossible to turn off remote administrator access to some Linksys devices.
A researcher identifying himself as b0f found two similar bugs in the Web-based administrator interface in BEF-series routers, allowing anyone with access to the interface to crash the devices. Once crashed, the devices still cannot be used after rebooting, and require a factory reset, according to researchers. Attackers can crash BEF-series devices by sending overly long strings to the "sysPasswd", "sysPasswdConfirm" or "DomainName" parameters in one of the router's processes. A number of BEF-series devices are affected, and Linksys has released firmware upgrades fixing the problem for some of the routers.
Linksys remote access bug
Researchers Alan Rateliff II and Matthew Gillespie last week independently reported an issue affecting both the BEFSR41 ver.3 router and the WRT54G Wireless-G Broadband Router, which could give an attacker remote access to the device's Web-based administration control panel.
The problem is that even when the administrator switches remote access off -- the configuration recommended by security experts -- the devices still allow administrator access from the Internet. That increases the danger posed by other flaws, such as the denial-of-service glitches above, which would ordinarily only be exploitable from the local network.
The problem can be averted by turning the device's firewall on, and indeed this should be on by default. However, researcher Rateliff said some devices seemed to have the firewall switched off out of the box. Cisco, which owns Linksys, said it had released a test version of new firmware for the WRT54G which should fix the problem.
The WRT54G is consumer-oriented but the BEF-series router is aimed at businesses. Linksys controls the majority of the consumer WLAN market and 20 percent of the combined home and small-business market, according to Synergy Research Group Inc.
Such problems aren't new in the world of networking equipment. A recent bug in Linksys BEF-series routers with DHCP servers, for example, allowed an attacker to monitor traffic flowing through the devices and to crash them.
In April, Cisco Systems Inc. revealed that a user name and password coded into some versions of its Wireless LAN Solution Engine and Hosting Solution Engine software could give attackers complete control of the devices. Attackers could use the default logins to hide rogue wireless access points on wireless LANs, create and modify user privileges or change configuration settings, Cisco said.
Last year, a problem in Netgear's implementation of the Network Time Protocol (NTP) caused an effective denial of service attack on the University of Wisconsin-Madison's time service. The Netgear routers were hard-coded to always access the University of Wisconsin's time server, using port number 23457. However, when any request went unanswered the affected routers continued sending requests, as often as once per second.