[ISN] Confusion surrounds Cisco-Linksys wireless hole

From: InfoSec News (isn@private)
Date: Tue Jun 08 2004 - 00:42:22 PDT

  • Next message: William Knowles: "[ISN] Internet needs law enforcement, author says"

    By Paul Roberts
    IDG News Service
    A report last week about a security hole in a wireless broadband
    router made by Cisco's Linksys division overstated the severity of the
    vulnerability, according to the man who first warned of the problem.
    Independent technology consultant Alan Rateliff said Monday that
    Cisco's Linksys WRT54G wireless routers are not, by default,
    vulnerable to remote takeover from a malicious hacker. However, a
    vulnerability in the software that runs on those devices could still
    allow a malicious hacker to access administrative features for the
    router and take control of the device.
    Rateliff first posted a warning about the WRT54G on the Bugtraq
    discussion list on May 31. Based on testing with a sample Cisco
    router, Rateliff concluded that the routers were shipped with a
    configuration that would allow remote attackers to access the
    Web-based administration interface for the devices over two common
    communications ports, 80 and 443. The WRT54G, like other wireless
    routers, enables multiple computers to share a broadband Internet
    connection using wireless networking equipment
    The Bugtraq post prompted numerous responses that contested Rateliff's
    findings. After testing additional WRT54G devices, Rateliff said he
    found that the devices were not vulnerable in their default
    configuration, but could still be compromised remotely given the right
    In particular, Rateliff discovered that a firewall feature in the
    routers is enabled, rather than disabled, by default, which prevents
    compromise on new systems.
    On versions of the router using firmware versions 2.02.2 and 2.02.7,
    malicious hackers can access the router's administrator interface and
    change the configuration of the router if the firewall feature is
    disabled and if the router's owner does not change the default
    administrator's password. The devices could be compromised regardless
    of whether a feature that provides remote, Web-based access to the
    routers was enabled or disabled, he said.
    Cisco has since released a test, or "beta" version of software for the
    device that fixes the remote access problem, he said.
    Rateliff posted a message to Bugtraq on June 2 and acknowledged that
    he made an error in his initial warning about the problem, but said he
    was just posting his findings based on a test of the Cisco hardware,
    standard practice in the Bugtraq forum. Rateliff did not expect the
    immense response to his post, which spawned stories in a number of
    online news outlets and prompted multiple responses on Bugtraq.
    "The exposure on this is not as bad as the (discussion) on Bugtraq
    made it seem. I can't account for the results of the first test, but
    at this point that's irrelevant. What's relevant now is that 'out of
    box' home users are safe," Rateliff said.
    ISN mailing list
    Sponsored by: OSVDB.org

    This archive was generated by hypermail 2b30 : Tue Jun 08 2004 - 04:23:27 PDT