===================================================================== CERT-Renater Note d'Information No. 2014/VULN244 _____________________________________________________________________ DATE : 31/10/2014 HARDWARE PLATFORM(S): Linksys EA series routers. OPERATING SYSTEM(S): Linksys SMART WiFi firmware. ====================================================================== http://www.kb.cert.org/vuls/id/447516 ______________________________________________________________________ Vulnerability Note VU#447516 Linksys SMART WiFi firmware contains multiple vulnerabilities Original Release date: 31 oct. 2014 | Last revised: 31 oct. 2014 Overview Linksys EA series routers running the Linksys SMART WiFi firmware contain multiple vulnerabilities. Description CWE-320: Key Management Errors - CVE-2014-8243 An unauthenticated attacker on the local area network (LAN) can read the router's .htpassword file by requesting http(s):///.htpasswd. The .htpasswd file contains the MD5 hash of the administrator password. CWE-200: Information Exposure - CVE-2014-8244 A remote, unauthenticated user can issue various JNAP calls by sending specially-crafted HTTP POST requests to http(s):///JNAP/. Depending on the JNAP action that is called, the attacker may be able to read or modify sensitive information on the router. It should also be noted that the router exposes multiple ports to the WAN by default. Port 100080 and 52000 both expose the administrative web interface to WAN users. Depending on the model, additional ports may be exposed by default as well. Impact A remote, unauthenticated attacker may be able to read or modify sensitive information on the router. Solution Apply an Update: If possible, users are encouraged to update their firmware to the latest version to remediate these vulnerabilities. Linksys has provided the following fix versions: EA2700 - Not yet released EA3500 - Not yet released E4200v2 - Ver.2.1.41.162351 EA4500 - Ver.2.1.41 (Build 162351) EA6200 - Ver.1.1.41 (build 162599) EA6300 - Ver.1.1.40 (build 160989) EA6400 - Ver.1.1.40 (build 160989) EA6500 - Ver.1.1.40 (build 160989) EA6700 - Ver.1.1.40 (build 160989) EA6900 - Ver.1.1.42 (Build 161129) Vendor Information (Learn More) Vendor Status Date Notified Date Updated Linksys Affected 28 Jul 2014 23 Oct 2014 If you are a vendor and your product is affected, let us know. CVSS Metrics (Learn More) Group Score Vector Base 6,8 AV:N/AC:M/Au:N/C:P/I:P/A:P Temporal 5,3 E:POC/RL:OF/RC:C Environmental 5,3 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND References http://support.linksys.com/en-us/support/routers/E4200 http://support.linksys.com/en-us/support/routers/EA4500 http://support.linksys.com/en-us/support/routers/EA6200 http://support.linksys.com/en-us/support/routers/EA6300 http://support.linksys.com/en-us/support/routers/EA6400 http://support.linksys.com/en-us/support/routers/EA6500 http://support.linksys.com/en-us/support/routers/EA6700 http://support.linksys.com/en-us/support/routers/EA6900 http://cwe.mitre.org/data/definitions/310.html http://cwe.mitre.org/data/definitions/200.html Credit Thanks to Kyle Lovett for reporting this vulnerability. This document was written by Todd Lewellen. Other Information CVE IDs: CVE-2014-8243 CVE-2014-8244 Date Public: 31 oct. 2014 Date First Published: 31 oct. 2014 Date Last Updated: 31 oct. 2014 Document Revision: 22 Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email. ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================