Note that the BEFSR41 (and most likely numerous other Linksys models too) are/were also vulnerable to the issues described below - depends on what ver of firmware you have. To my knowledge, the latest firmware upgrades fix most models. I have confirmed through the vendor that the BEFSR41 and BEFSR81 were vulnerable to the issues below, and that the latest firmware upgrades for each model correct all of the issues. Latest firmware: BEFSR41 - v1.40.2 BEFSR81 - v2.40.2 (These issues were actually addressed several revs back early last year) Contact supportat_private to see if your model is vulnerable and if the latest firmware corrects the issues. I have found Linksys Support to be very helpful and responsive. If you are using a Linksys Cable/DSL router, then you should be using Linklogger <www.linklogger.com> so you can adequately monitor and log suspicious events. Great software, highly recommended. Regards, ken Ken Williams ; Technical Lead ; ken.williamsat_private eSecurityOnline - an eSecurity Venture of Ernst & Young ken.williamsat_private ; www.esecurityonline.com ; 1-877-eSecurity "Matthew S. Hallacy" To: bugtraqat_private <poptix@techmo cc: nkeys.org> Subject: Linksys 'routers', SNMP issues 01/06/2002 06:55 AM Howdy. LinkSys DSL 'routers' have some serious information leakage, and potention DDoS usage. The following models have been confirmed as having this problem: BEFN2PS4 (EtherFast Cable/DSL Router & Voice with 4-Port Switch) BEFSR81 (EtherFast Cable/DSL Router with 8-Port Switch) Querying these devices with the default community of 'public' causes them to set the address that queried as their snmptrap host, dumping traffic such as the following to that address: Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 24.254.60.13[110]." Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.23[5632]." Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.3[5632]." Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.4[5632]." Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.5[5632]." Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0 = "-->[U]Send OP: ^ps_status_q 15049C0DFC9B03166D55EA30474D04FB 9218583272 a .." Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0 = "<--[U]Recv __: ^ps_status_r.15049C0DFC9B03166D55EA30474D04FB.\"\".0.." It looks like a combination of debugging information as well as traffic logging, many customers never use the configuration page, let alone change the SNMP communities. To make the matter worse, LinkSys refuses to distribute an MIB for the device, which is not suprising considering the SNMP implementation on the device is rather broken (it goes into a continious loop). LinkSys is routing all messages regarding SNMP to /dev/null Have a nice day. Matthew S. Hallacy -- ______________________________________________________________________ The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Ernst & Young LLP
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 14:12:27 PST