Cisco Systems has announced it will distribute patched firmware that eliminates the undocumented backdoors built into some Linksys and Netgear routers, and which found its way into recent models of four Cisco routers as well.
The flaws were discovered by French security researcher Eloi Vanderbeken, who described the problem as “a very simple and bad[ly] coded backdoor” that had originated in code from SerComm Corp., the OEM that manufactured many of Linksys’ DSL modems before Linksys’ acquisition by Cisco. Cisco promised to post a software fix by the end of January; it will post a notice and download link on its security vulnerability page. Cisco routers affected by the flaw include WAP4410N Wireless-N Access Point, WRVS4400N Wireless-N Gigabit Security Router, and RVS4000 4-port Gigabit Security Router. Other Linksys models also appear to be vulnerable, but are Belkin’s problem rather than Cisco’s, following Cisco’s sale of its Linksys consumer division to Belkin last year.
Vanderbeken discovered the backdoor while trying to recover from the discovery that he was the victim of his own security. While trying to login to the Linksys WAG200G wireless DSL gateway that provides WLAN connections in his house, Vanderbeken realized he’d shut off the ability to login to the unit’s administrative screen using a wireless connection, and had forgotten the administrative password that would have allowed him to change it.
Rather than simply do a factory reset as someone less technical or less self-sufficient would have done, Vanderbeken used network mapper Nmap to scan the unit for open ports, looking for one that might allow the chance to authenticate as administrator. Instead he found that TCP port 32674 responded to messages, but that no documentation he could find online detailed either the open port or its intended use.
In a search through the binary MIPS code of another copy of the Linksys firmware, Vanderbeken found a simple interface that appeared to be unrelated to the ordinary administrative functions, but still allowed him to send commands to the unit without having to log in as administrator. The interface allowed him to not only reset the unit to factory settings (accidentally), but also to send other commands and even run scripts in a command-line console he also discovered in the firmware.
So he wrote a script that would turn wireless access to the administration interface back on. “Thank you Linksys! You saved my Christmas,” Vanderbeken wrote in the PowerPoint slide set he created showing the vulnerable code, his efforts to investigate it, and the scripts that ultimately allowed him to turn Internet access back on for his family. Vanderbeken posted his results on GitHub, which prompted a flood of discussion and testing that suggested and then confirmed the source of the backdoor as firmware code dated from 2005 and identified as coming from LinkSys OEM SerComm.
Contributions from other testers showed the backdoor could be reached on many units via the Internet, though Vanderbeken’s testing showed access only available locally. Other contributors also identified the same flaw appeared in a long list of other Linksys and NetGear units, all of which Cisco owns after its acquisition of Linksys and NetGear.
Vanderbeken was able to identify more than 2000 individual routers connected to the Internet whose responses demonstrated they could be taken over using the same flaw.
On Jan. 10, Cisco published a Security Advisory acknowledging the flaw as an undocumented test interface in Cisco Small Business devices and offered workarounds.