On various Linksys devices, an unspecified bug can cause an unsafe/undocumented TCP port to open allowing for unauthenticated remote access to the device.
498c65c860fe5d919123b02b7dda83e1dd02868d0b1adb1db402354c60007bd1
-----------------------------------------------------------------------------
Vulnerabilities:
An unspecified bug can cause an unsafe/undocumented TCP port to open
allowing for:
- Unauthenticated remote access to all pages of the router
administration GUI, bypassing any credential prompts under certain
common configurations
- Direct access to several critical system files
CVE-ID 2013-5122
CWE-288: Authentication Bypass Using an Alternate Path or Channel
CVSS Base Score 10
CVSS Temporal Score 8.1
Exploitability Subscore: 10.0
Affected models and firmware:
Linksys SMART Wi-Fi Router N600 - EA2700 Firmware Version: 1.0.14
Linksys SMART Wi-Fi Router N750 Smooth Stream EA3500 Firmware Version: 1.0.30
Linksys Maximun Performance N Router E4200v2 Firmware Version: 2.0.36
Linksys Maximun Performance N Router E4200v2 Firmware Version: 2.0.37
Linksys SMART Wi-Fi N900 Media Stream EA4500 Firmware Version: 2.0.36
Linksys SMART Wi-Fi N900 Media Stream EA4500 Firmware Version: 2.0.37
-Web Server Lighttpd 1.4.28
-Running - Linux 2.6.22
-----------------------------------------------------------------------------
Vulnerability Conditions seen in all variations, though not limited too:
- Classic GUI has been enabled/installed
- Remote Management - Disabled
- UPnP - Enabled
- IPv4 SPI Firewall Protection - Disabled
Fixes and workarounds:
*** It is strongly advised to those that have the classic GUI firmware
installed to do a full WAN side scan for unusual ports that are open
that weren't specifically opened by the end user.
It is recommend to upgrade to firmware 2.1.39 on the E4200v2 and
EA4500, though it is uncertain if this resolves the problem in all
cases.
It is recommend to upgrade to firmware 1.1.39 on the EA2700 and
EA3500.though it is uncertain if this resolves the problem in all
cases.
Vendor: We have been working with Linksys/Belkin Engineers on this
problem, and they are still investigating the root cause. We hope to
have additional information on this bug soon.
-----------------------------------------------------------------------------
External Links Misc:
http://www.osvdb.org/show/osvdb/94768
http://www.securityfocus.com/archive/1/527027
http://securityvulns.com/news/Linksys/EA/1307.html
http://www.scip.ch/en/?vuldb.9326
http://www.mobzine.ro/ionut-balan/2013/07/vulnerabilitate-majora-in-linksys-ea2700-ea3500-e4200-ea4500/
Vendor product links:
http://support.linksys.com/en-us/support/routers/EA2700
http://support.linksys.com/en-us/support/routers/EA3500
http://support.linksys.com/en-us/support/routers/E4200
http://support.linksys.com/en-us/support/routers/EA4500
Discovered - 07-01-2013
Updated - 08-15-2013
Research Contact - K Lovett, M Claunch
Affiliation - SUSnet