Linksys Smart Wi-Fi Vulnerabilities
by CIRT Team
Description: Cyber security researchers from IOActive said in an advisory that after reverse engineering, the router firmware they identified total of 10 security vulnerabilities, ranging from low-to-high risk issues, six of which can be exploited remotely by unauthenticated attackers.
Impact: Because of these vulnerabilities, it allows unauthenticated attackers to create a Denial-of-Service (DoS) condition on the router. Attackers can also bypass the authentication protecting the CGI scripts to collect technical and sensitive information about the router, such as the firmware version and Linux kernel version, the list of running processes, the list of connected USB devices, or the WPS pin for the Wi-Fi connection. Authenticated attackers can inject and execute commands on the operating system of the router with root privileges.
Linksys has provided a list of all affected models:
Mitigation: As per Linksys Security Advisory (linksys.com), they are working for new firmware update for all affected devices, by this time, they also advice below :
- Enable Automatic Updates. Linksys Smart Wi-Fi devices include a feature to automatically Update the firmware when new versions are available. (Reference)
- Disable Wi-Fi Guest Network if not in use. (Reference)
- Change the default Administrator password. (Reference)