After reverse engineering the firmware, IOActive’s Tao Sauvage discovered 10 bugs, six of which can be exploited remotely by unauthenticated attackers.
Hackers can exploit two of these to DoS the router. Other vulnerabilities allow for the collection of sensitive data such as firmware and Linux kernel version, running processes, connected USB devices and the Wi-Fi WPS pin.
Unauthenticated attackers can also access the firewall configuration, read FTP configuration settings and extract the SMB server settings, Sauvage explained.
However, the most serious could allow attackers to execute commands on the router OS remotely with root privileges, giving them persistent backdoor access.
“Backdoor accounts would not be shown on the web admin interface and could not be removed using the Admin account,” he explained. “It should be noted that we did not find a way to bypass the authentication protecting the vulnerable API; this authentication is different than the authentication protecting the CGI scripts.”
Linksys appears to have worked closely with IOActive to resolve the issues since being informed of the bugs in January, and was described by Sauvage as “exemplary in handling the disclosure.”
The Belkin-owned company released a security advisory today urging customers using guest networks on any of the affected models to disable the feature.
It also advised users to change the default admin password and to switch on automatic updates so that the smart router can receive security fixes when they become available.
The affected models are: WRT1200AC; WRT1900AC; WRT1900ACS; WRT3200ACM; EA2700; EA2750; EA3500; EA4500 v3; EA6100; EA6200; EA6300; EA6350 v2; EA6350 v3; EA6400; EA6500; EA6700; EA6900; EA7300; EA7400; EA7500; EA8300; EA8500; EA9200; EA9400 and EA9500