 |
Yahoo has published an article on a Linksys vulnerability. The vulnerability is fixed in the latest firmware release. Upgrade 'em if ya got 'em!
Linksys BEFSR41 vulnerability
An easily exploitable software vulnerability in a common home networking router by Linksys Group could expose thousands of home users to denial of service attacks, according to a security advisory issued by iDefense, a software security company. Linksys, based in Irvine, California, could not immediately be reached for comment.
The vulnerability affects Linksys BEFSR41 EtherFast Cable/DSL routers using router firmware earlier than version 1.42.7.
A security hole in some versions of the firmware used by the router could allow a remote user to crash the device, interrupting Internet service for any computers attached to it, according to iDefense. To cause a crash, an attacker only needs to enter the URL (uniform resource locator) for a CGI (Common Gateway Interface) script used to configure and manage the router without providing any "arguments" (input for the script to process), according to iDefense. In most situations, the attacker would already need to be on a computer connected to the network to execute an attack. However, if the router has a 'remote management' feature enabled, a malicious hacker could execute an attack from anywhere on the Internet by entering the IP (Internet Protocol) address of the router along with the name of the script into his or her Web browser. "An attacker could just scan a (network) subnet for IP addresses belonging to Linksys routers. Once they identified the targeted routers, they could bring them down just using their Web browser," said Sunil James, a senior security engineer at iDefense, which is in Chantilly, Virginia.
Other Linksys models including the BEFSR11 and BEFSRU31 routers may also be affected by the vulnerability, according to James. Those models use the same embedded Web server and firmware software as the BEFSR41, James said. IDefense has not tested the vulnerability on the BEFSR11 or BEFSRU31 router hardware, James said. Aside from losing Internet connectivity, however, James said that iDefense does not believe the vulnerability would allow attackers to place or execute malicious code on an affected network. Following an attack, users would need to reset the router by pressing a reset button on the back of the device to restore it, according to iDefense.
To guard against this vulnerability, iDefense recommends upgrading the router firmware to version 1.42.7 or later (http://www.linksys.com/download/firmware.asp). That and subsequent firmware versions appear to eliminate the vulnerability, though Linksys makes no mention of the vulnerability in the release notes that accompany the updated firmware, according to James. Users are also asked to verify that the router's remote management feature is not enabled. |
"Data! data! data!" he cried impatiently. "I can't make bricks without clay."