lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3DDA7B79.25574.8A2B26A@localhost>
From: dendler at idefense.com (David Endler)
Subject: iDEFENSE Security Advisory 11.19.02a: Denial of Service Vulnerability in Linksys Cable/DSL Routers

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 11.19.02a:
http://www.idefense.com/advisory/11.19.02a.txt
Denial of Service Vulnerability in Linksys Cable/DSL Routers
November 19, 2002

I. BACKGROUND

Linksys Group Inc. currently sells several broadband router products,
including:

BEFW11S4, Wireless Access Point Router with 4-Port Switch - Version 2
BEFSR11, EtherFast® Cable/DSL Router
BEFSR41, EtherFast® Cable/DSL Router with 4-Port Switch
BEFSRU31, EtherFast® Cable/DSL Router with USB and 3-Port Switch

More information is available at
http://www.linksys.com/products/group.asp?grid=23 .

II. DESCRIPTION

The BEFW11S4, BEFSR11, BEFSR41 and BEFSRU31 can be crashed when
several thousand characters are passed in the password field of the
device's web management interface. Exploitation simply requires the
use of a web browser that can send long Basic Authentication fields
to the affected router's interface.

III. ANALYSIS

Remote exploitation is only possible if the remote web management
interface is enabled (this is disabled by default). An attacker on
the internal network can access the web management interface by using
a web browser and accessing the URL http://192.168.1.1 (default URL).

IV. DETECTION

The BEFW11S4, BEFSR11, BEFSR41, and BEFSRU31 devices with firmware
earlier than version 1.43.3 are affected.  iDEFENSE confirmed
susceptibility on the BEFW11S4. Linksys indicated that the BEFSR11,
BEFSR41 and BEFSRU31 are also affected.

V. WORKAROUND

Disable the remote web management interface on the affected router. 

VI. RECOVERY

Cycling power through the affected device should restore normal
functionality; pressing the "Reset" button on the router is
insufficient.

VII. VENDOR FIX

Linksys firmware 1.43.3, which is available at
http://www.linksys.com/download/, fixes the problem on all the
affected devices.

VIII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1312 to this issue.

IX. DISCLOSURE TIMELINE

11/02/2002	Issue disclosed to iDEFENSE
11/06/2002	Linksys notified (jay.price@...ksys.com)
11/11/2002	Linksys response (diana.ying@...ksys.com)
11/18/2002	iDEFENSE clients notified
11/19/2002	Public disclosure

X. CREDIT

Alex S. Harasic (aharasic@...ra.cl) discovered this vulnerability.


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@...fense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide 
decision-makers, frontline security professionals and network 
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.


- -dave

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@...fense.com
www.idefense.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPdrA6UrdNYRLCswqEQIlHQCfSWbq62uW/9V6nXX2Hrr0YfPJ40wAoISV
DKNMabeYn046qJGNFtmxW5lU
=tFYj
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ