|
Brought to you by:
Suppliers of:
|
|
|
| |
| Linksys products running affected firmware versions are susceptible to a bug that allows unauthenticated access to the management interface. This bug affects both local and remote management (if enabled). |
| |
Credit:
The information has been provided by Seth Bromberger.
|
| |
Vulnerable systems:
* BEFSR41, BEFSR11, BEFSRU31: firmware versions from 1.41 through 1.43
* BEFW11S4: firmware versions from 1.42.7 through 1.43.
Impact:
Users on the protected ("local") network can gain administrative access to the Linksys router and may view/alter configuration data. If remote management is enabled, users on the unprotected ("wide-area") network may gain similar access.
Note that for the BEFW11S4, the "local" network includes all devices able to associate with the access point.
Technical details:
It appears that the Linksys HTTP management interface does not handle cases where the client sends specific XML-related data during the initial content negotiation ("XML related entries in the mailcap file").
Verification:
Test setup included the following hardware/software:
- BEFSR41 firewall/router with firmware version 1.43
- Lynx browser version 2.8.4rel.1 (17 Jul 2001)
- ~/.mailcap with the following line:
application/foo.xml;
Using lynx with the above mailcap, connect to the management interface (remote interface listens on port 8080 when enabled). Affected versions will display the setup screen without requiring the user to enter a password. (Note: mailcap is generally installed as ~/.mailcap). Navigation to other screens is possible, though some "accept" buttons might not render if the browser used is unable to process JavaScript.
Resolution:
Linksys has released firmware version 1.43.3 that resolves this issue on the tested equipment (BEFSR41). It is assumed that the problem is resolved with this firmware version on all affected products.
|
|
|
|
|
