COMMAND

    Linksys EtherFast

SYSTEMS AFFECTED

    Linksys EtherFast 4-Port Cable/DSL Router

PROBLEM

    'hypoclear'  found  following.   The  Linksys  "EtherFast   4-Port
    Cable/DSL Router"  is subject  to a  security flaw  in its design.
    Passwords for the router and  the users ISP account can  be viewed
    in the HTML source code stored on the router.

    The login  passwords for  both the  router and  the users  ISP are
    passed to the routers configuration  pages.  While they cannot  be
    viewed  directly  in  the  browser  window  the  passwords  are in
    "cleartext" if viewed via the HTML source code.  This may lead  to
    a compromise of the router and  the users ISP account.  The  pages
    in question are index.htm, which contains the users ISP logon  and
    password,  and  Passwd.htm,  which  contains  the password for the
    router.

    If  combined  with  a  "sniffer"  attack  the  source  code  (with
    passwords) can be viewed during transmission to the administrators
    browser.

    Note:  The  transmissions  can  only  be  "sniffed" within the LAN
    behind the router.

    There is  no exploit  code needed  to exploit  this vulnerability.
    The passwords  are stored  and transmitted  in "cleartext"  within
    the HTML source.  The  passwords can easily be viewed  by sniffing
    the ethernet when an Administrator logs in and views the offending
    pages.

    Sections of offending code (code formatted for easier viewing):

    On index.htm:

    <b>User Name:  </b></font><input name=pppoeUName size maxlength=63 value=USERS_ISP_LOGIN_HERE>

    </td></tr><tr><th bgcolor=6666cc> </th>
    <td>    <font face=verdana size=2><b>Password:  
     </b></font><input type=password name=pppoePWD size=20 maxlength=63 value=USERS_ISP_PASSWORD_HERE></td>

    On Passwd.htm:

    <br>Router Password:  </th><td> <br>  
    <input type=password name=sysPasswd size=25 maxlength=63 value=ROUTER_PASSWORD_HERE>

    <font color=blue face=Arial size=2>
    (Enter New Password)</td></tr> <tr><th bgcolor=6666cc align=right><font color=white face=Arial size=2> </th> <td>
     
    <input type=password name=sysPasswdConfirm size=25 maxlength=63 value=CONFIRM_OF_ROUTER_PASSWORD_HERE>

    This is  also true  on the  LinkSys Cable/DSL  Router without  the
    4port builtin HUB and maybe other products of theirs.

SOLUTION

    A  suggested  solution  for  this  problem  is to not transmit the
    passwords to the  offending pages.   Instead, keep them  stored in
    the router,  and only  allow for  the update  of passwords  on the
    pages (if desired by the user).

    This particular solution is  not possible without a  vendor patch.
    There has been no resopnse from Linksys.

    Another solution has  been given by  weld on the  vuln-watch list.
    He states: "I would say the  solution is to only admin the  router
    from  a  workstation  that  is  directly  connected  to one of the
    switch ports and to  add a static arp  cache entry for the  router
    on  the  workstation.   That  will  deny  any arp cache poisioning
    which would work to sniff across the switch."

    Tim Higgins informed that Linksys has released an upgrade of their
    firmware for their 1,4 and USB port routers to version 1.39.3BETA.
    This should fix the password retrieval vulnerability.

    Firmware upgrade:

        http://www.practicallynetworked.com/support/linksys_router_help_pg2.htm#Firmware