Re: Linksys 'routers', SNMP issues

[Ken.Williams () ey com]

Note that the BEFSR41 (and most likely numerous other Linksys
models too) are/were also vulnerable to the issues described
below - depends on what ver of firmware you have.  To my
knowledge, the latest firmware upgrades fix most models.

I have confirmed through the vendor that the BEFSR41 and BEFSR81
were vulnerable to the issues below, and that the latest firmware
upgrades for each model correct all of the issues.
Latest firmware:
BEFSR41 - v1.40.2
BEFSR81 - v2.40.2

(These issues were actually addressed several revs back early last
year)

Contact support () linksys com to see if your model is vulnerable and
if the latest firmware corrects the issues.  I have found Linksys
Support to be very helpful and responsive.

If you are using a Linksys Cable/DSL router, then you should be
using Linklogger <www.linklogger.com> so you can adequately monitor
and log suspicious events.  Great software, highly recommended.

Regards,
ken

Ken Williams ; Technical Lead ; ken.williams () ey com
eSecurityOnline - an eSecurity Venture of Ernst & Young
ken.williams () ey com ; www.esecurityonline.com ; 1-877-eSecurity




                    "Matthew S.
                    Hallacy"              To:     bugtraq () securityfocus com
                    <poptix@techmo        cc:
                    nkeys.org>            Subject:     Linksys 'routers',
SNMP issues

                    01/06/2002
                    06:55 AM






Howdy.

LinkSys DSL 'routers' have some serious information leakage, and potention
DDoS
usage. The following models have been confirmed as having this problem:
BEFN2PS4 (EtherFast Cable/DSL Router & Voice with 4-Port Switch)
BEFSR81 (EtherFast Cable/DSL Router with 8-Port Switch)

Querying these devices with the default community of 'public' causes them
to set
the address that queried as their snmptrap host, dumping traffic such as
the
following to that address:

Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36,
enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 24.254.60.13[110]."
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36,
enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.23[5632]."
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36,
enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.3[5632]."
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36,
enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.4[5632]."
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36,
enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.5[5632]."
Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11,
enterprises.3955.1.1.0 = "-->[U]Send OP:    ^ps_status_q
15049C0DFC9B03166D55EA30474D04FB 9218583272 a .."
Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11,
enterprises.3955.1.1.0 = "<--[U]Recv __:
^ps_status_r.15049C0DFC9B03166D55EA30474D04FB.\"\".0.."

It looks like a combination of debugging information as well as traffic
logging,
many customers never use the configuration page, let alone change the SNMP
communities. To make the matter worse, LinkSys refuses to distribute an MIB
for the device, which is not suprising considering the SNMP implementation
on the device is rather broken (it goes into a continious loop).


LinkSys is routing all messages regarding SNMP to /dev/null

                               Have a nice day.
                               Matthew S. Hallacy
--






______________________________________________________________________
The information contained in this message may be privileged and
confidential and protected from disclosure.  If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and deleting it
from your computer.  Thank you.  Ernst & Young LLP