Menu
Exploit released for vulnerability targeted by Linksys router worm

Exploit released for vulnerability targeted by Linksys router worm

The list of affected router models is larger than previously thought

Technical details about a vulnerability in Linksys routers that's being exploited by a new worm have been released Sunday along with a proof-of-concept exploit and a larger than earlier expected list of potentially vulnerable device models.

Last week, security researchers from the SANS Institute's Internet Storm Center identified a self-replicating malware program that exploits an authentication bypass vulnerability to infect Linksys routers. The worm has been named TheMoon.

The initial report from SANS ISC said the vulnerability is located in a CGI script that's part of the administration interface of multiple Linksys' E-Series router models. However, the SANS researchers didn't name the vulnerable CGI script at the time.

On Sunday, a Reddit user identified four CGI scripts that he believed were likely to be vulnerable. An exploit writer, who uses the online alias Rew, later confirmed that at least two of those scripts are vulnerable and published a proof-of-concept exploit.

"I was hoping this would stay under wraps until a firmware patch could be released, but it appears the cat is out of the bag," Rew wrote in the exploit notes.

The exploit also contains a list of Linksys routers that Rew believes might be vulnerable based on strings extracted from the original TheMoon malware. The list includes not only models from the Linksys E-Series, but also from the Wireless-N product line.

The following models are listed: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N. However, Rew notes that the list might not be accurate or complete.

Linksys owner Belkin confirmed that some Wireless-N routers are also affected, but didn't name the exact models.

"Linksys is aware of the malware called 'The Moon' that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers," said Karen Sohl, director of global communications at Belkin, in an emailed statement Sunday. "The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default."

Sohl said customers can disable the remote management feature and reboot their routers to remove the malware, which suggests that the worm is not persistent across reboots.

Linksys published a technical article on its website with instructions on how to install the latest firmware version and disable remote management on affected devices. This solution might not be practical for router administrators who need to manage devices deployed in remote locations, but so far it appears to be the only official mitigation strategy offered by the vendor.

"Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks," Sohl said.

The public release of a proof-of-concept exploit exposes the vulnerable routers to potential opportunistic and targeted attacks in addition to TheMoon malware threat. Cybercriminals have recently started compromising home routers to launch attacks against online banking users, suggesting the risk associated with serious vulnerabilities in routers is not just theoretical.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Linksysonline safetySANS InstituteNetworkingsecurityroutersbelkinExploits / vulnerabilitiesmalwarenetworking hardwareintrusion

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments