Vulnerability Note VU#447516
Linksys SMART WiFi firmware contains multiple vulnerabilities
Original Release date: 31 Oct 2014 | Last revised: 07 Nov 2014

Overview
Linksys EA series routers running the Linksys SMART WiFi firmware contain multiple vulnerabilities.

Description
CWE-320: Key Management Errors – CVE-2014-8243
An remote, unauthenticated attacker can read the router’s .htpassword file by requesting http(s)://<router_ip>/.htpasswd. The .htpasswd file contains the MD5 hash of the administrator password.

CWE-200: Information Exposure – CVE-2014-8244

A remote, unauthenticated attacker can issue various JNAP calls by sending specially-crafted HTTP POST requests to http(s)://<router_ip>/JNAP/. Depending on the JNAP action that is called, the attacker may be able to read or modify sensitive information on the router.

It should also be noted that the router exposes multiple ports to the WAN by default. Port 10080 and 52000 both expose the administrative web interface to WAN users. Depending on the model, additional ports may be exposed by default as well.

Impact
A remote, unauthenticated attacker may be able to read or modify sensitive information on the router.

Solution
Apply an Update:

If possible, users are encouraged to update their firmware to the latest version to remediate these vulnerabilities. Linksys has provided the following fix versions:

EA2700- Ver.1.1.40 (Build 162751)

EA3500- Ver.1.1.40 (Build 162464)

E4200v2 – Ver.2.1.41 (Build 162351)

EA4500- Ver.2.1.41 (Build 162351)

EA6200- Ver.1.1.41 (Build 162599)

EA6300 – Ver.1.1.40 (Build 160989)

EA6400- Ver.1.1.40 (Build 160989)

EA6500- Ver.1.1.40 (Build 160989)

EA6700 – Ver.1.1.40 (Build 160989)

EA6900 – Ver.1.1.42 (Build 161129)

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedLinksysAffected28 Jul 201423 Oct 2014If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal
5.3
E:POC/RL:OF/RC:C

Environmental
5.3
CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

http://support.linksys.com/en-us/support/routers/E4200
http://support.linksys.com/en-us/support/routers/EA4500
http://support.linksys.com/en-us/support/routers/EA6200
http://support.linksys.com/en-us/support/routers/EA6300
http://support.linksys.com/en-us/support/routers/EA6400
http://support.linksys.com/en-us/support/routers/EA6500
http://support.linksys.com/en-us/support/routers/EA6700
http://support.linksys.com/en-us/support/routers/EA6900
http://cwe.mitre.org/data/definitions/310.html
http://cwe.mitre.org/data/definitions/200.html

Credit

Thanks to Kyle Lovett and Sijmen Ruwhof for discovering these vulnerabilities.
This document was written by Todd Lewellen.

Other Information

CVE IDs:
CVE-2014-8243
CVE-2014-8244

Date Public:
31 Oct 2014

Date First Published:
31 Oct 2014

Date Last Updated:
07 Nov 2014

Document Revision:
38

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply