The IOActive senior security consultant Tao Sauvage and the independent security researcher Antide Petit have reported more than a dozen of unpatched security vulnerabilities affecting 25 different Linksys Smart Wi-Fi Routers models.

The security duo published a blog post on Wednesday providing details of their discoveries.Attackers can exploit the security vulnerabilities to extract sensitive information from the devices, trigger DoS conditions, change settings, and completely take them over.The vulnerabilities effects dozens of Linksys models, including EA3500 Linksys Smart Wi-Fi, WRT and Wireless-AC series.

Out of 10 security vulnerabilities, six issues can be exploited by remote unauthenticated attackers.

All these products are widely by private users and by small businesses, for this reason, the impact of the discovery is huge. It has been estimated that over 7,000 routers that have their web-based administrative interfaces exposed to the Internet are exposed to attacks.

The experts discovered determined that 11 percent of the 7,000 Linksys routers still used default credentials.

“We performed a mass-scan of the ~7,000 devices to identify the affected models. In addition, we tweaked our scan to find how many devices would be vulnerable to the OS command injection that requires the attacker to be authenticated. We leveraged a router API to determine if the router was using default credentials without having to actually authenticate.” reads the blog post published by the two experts.

“We found that 11% of the ~7000 exposed devices were using default credentials and therefore could be rooted by attackers.”

Most of the flawed Linksys routers (~69%) are located in the USA, followed by Canada (~10%), Hong Kong (~1.8%), Chile (~1.5%), and the Netherlands (~1.4%).

If we consider the possibility that a local attacker exploits the issues to target systems over a local area network, the number of devices at risk dramatically increases.

The experts avoided to provided technical details about the flaw in the Linksys routers to avoid mass attacks against the vulnerable devices. The duo confirmed that two of the flaws could be exploited to trigger a denial-of-service condition on flawed routers, making them unusable or reboot by sending specifically crafted requests to a specific API.

Other vulnerabilities affecting the web interfaces of the Linksys routers allow attackers to bypass authentication and access many CGI scripts that can reveal sensitive information about the flawed devices and their configurations. An attacker can exploit the issues to obtain the Wi-Fi Protected Setup (WPS) PIN and to access the wireless network for further lateral movement from within. An attacker can exploit the vulnerability to determine firmware and kernel versions of the vulnerable Linksys routers and obtain a list of running processes, information about computers connected to the routers, a list of USB devices and the configuration settings for the FTP and SMB file-sharing servers.

The most severe flaw discovered by the experts could be exploited by attackers to inject and execute shell commands with root privileges on the affected routers. The flaw could be exploited to set up a backdoor administrative account that wouldn’t be listed in the web interface.

“Finally, authenticated attackers can inject and execute commands on the operating system of the router with root privileges. One possible action for the attacker is to create backdoor accounts and gain persistent access to the router. Backdoor accounts would not be shown on the web admin interface and could not be removed using the Admin account.” states the post.The flaw requires authentication to be exploited, this means the attackers need to have access to an existing account.

“It should be noted that we did not find a way to bypass the authentication protecting the vulnerable API; this authentication is different than the authentication protecting the CGI scripts.”

Linksys confirmed it is currently working on firmware updates to fix the vulnerabilities, meantime, as mitigation measures it suggests users disable the guest Wi-Fi network feature on their routers.

“Linksys was recently notified of some vulnerabilities in our Linksys Smart Wi-Fi series of routers.

As we work towards publishing firmware updates, as a temporary fix, we recommend that customers using Guest Networks on any of the affected products below temporarily disable this feature to avoid any attempts at malicious activity.” states the advisory. “We

will be releasing firmware updates for all affected devices.”

The complete list of vulnerable Linksys routers is reported in the security advisory issued by the company.

Pierluigi Paganini

(Security Affairs – Linksys routers, hacking)