Public Vulnerability Reports

Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router

10.31.02

BACKGROUND

Linksys Group Inc.'s EtherFast Cable/DSL Router with 4-Port Switch "is the perfect option to connect multiple PCs to a high-speed Broadband Internet connection or to an Ethernet back-bone. Allowing up to 253 users, the built-in NAT technology acts as a firewall protecting your internal network." More information about it is available at
http://www.linksys.com/products/product.asp?prid=20&grid=23.

DESCRIPTION

The BEFSR41 crashes if a remote and/or local attacker accesses the script Gozila.cgi using the router's IP address with no arguments. Remote exploitation requires that the router's remote management be enabled and that the proper password is supplied. A sample request looks as follows:

http://192.168.1.1/Gozila.cgi?

ANALYSIS

Because successful exploitation requires password authentication, exploitation can only occur in two likely scenarios:

1.) The Linksys user is socially engineered into clicking on a link and authenticating to the router (e.g. "Check out this cool Linksys Easter Egg! Click here!")

2.) The Linksys user is logged into the router's web management console, and is the vicitm of a cross site scripting attack which redirects the user to this link.

DETECTION

This vulnerability affects the BEFSR41 EtherFast Cable/DSL router with firmware earlier than version 1.42.7.

WORKAROUND

Pressing the reset button on the back of the router should restore normal functionality.

VENDOR RESPONSE

Firmware version 1.42.7 and later fix this problem. Version 1.43, which is the latest available version, can be found at http://www.linksys.com/download/firmware.asp?fwid=1.

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1236 to this issue.

DISCLOSURE TIMELINE

08/27/2002 Issue disclosed to iDEFENSE
09/12/2002 Linksys notified
09/12/2002 iDEFENSE clients notified
09/13/2002 Response received from maryann.gamboa@Linksys.com
09/19/2002 Status request from iDEFENSE
09/20/2002 Asked to delay advisory until second level support can respond
10/20/2002 No response from second level support, another status request to maryann.gamboa@Linksys.com
10/31/2002 Still no response from Linksys, public disclosure
11/06/2002 Vendor Response from Andreas Bang, Linksys Product Manage

CREDIT

Jeep 94 (lowjeep94@hotmail.com) is credited with discovering this vulnerability.