Critical backdoor in Linksys and Netgear routers found.. (Again)

[ShyWriter]

.

Critical backdoor in Linksys and Netgear routers found

 

Posted on 03 January 2014.

 

 

A backdoor in some Linksys and Netgear wireless routers that allows malicious users to reset the devices' configuration to factory settings and, therefore, to default router administration username and password, has been discovered and its existence shared with the world.

French security systems' engineer Eloi Vanderbeken has first discovered the backdoor in his own Linksys WAG200G wireless DSL gateway, after deciding to limit the bandwidth used by his holiday guests and remembering he forgot the complex username and password combination he chose for accessing the router's administration panel.

By probing and prodding the device's firmware, he discovered that there was an unknown service listening on network port TCP 32764. The service accepts thirteen types of messages, among which are two that allowed him to peak into the configuration settings, and one that restored the router to its default factory settings.

After sharing the colourful details of his "quest" on his Github account, other hackers around the world took it upon themselves to check what other routers have the same backdoor.

Unfortunately, there are quite a few. The list allowed people to speculate that the affected devices have one thing in common: they have been manufactured by Sercomm, a firm that builds routers both under its own name and for several other companies, including Linksys and Netgear.

Other companies Sercomm works for are 3Com, Aruba and Belkin, so it's likely that those devices also sport the flawed firmware. Hopefully all of these companies will be pushing out a patched version as soon as possible.

SANS ISC CTO Johannes Ullrich has noted that since the revelation of the existence of the backdoor, they have been seeing an increase in probes for port TCP 32764.

"Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far largest number of scans come from 80.82.78.9. ShodanHQ has also been actively probing this port for the last couple of days," he shared.

"At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network."

Sophos' Paul Ducklin also offered good advice on what to do and check.

 

SOURCE: https://www.net-security.org/secworld.php?id=16155

 

/Steve

[AdvancedSetup]

"Hopefully all of these companies will be pushing out a patched version as soon as possible."

 

Yeah right. You can't push out an update to a router.  It's a manual process the user has to initiate so we know how many routers wont' be getting updates even if they have an update available today, unless there is another undisclosed backdoor that allows the vendor that type of remote access to your router.

[GT500]

Yeah right. You can't push out an update to a router.  It's a manual process the user has to initiate so we know how many routers wont' be getting updates even if they have an update available today, unless there is another undisclosed backdoor that allows the vendor that type of remote access to your router.

Some routers automatically update their firmware.

Of course, I use the WRT54GL, which does not update automatically. Granted I also use Tomato rather than the actual Linksys firmware, so hopefully that shouldn't be an issue.

[AdvancedSetup]

Yes, true but not many and speaking for myself I certainly would not want my router to automatically update on it's own. I prefer to be in control of stuff like that. I'm sure that there are millions of routers out there that will never be updated.

[GT500]

Most likely.

[CWB]

in a grating nasal new jersey female accent ; "copy proofing failure , isle 13 ..." :

"among which are two that allowed him to peak into the configuration settings ..."

well , at least it wasn't "pique" ...

 

i took a look at some pictures of that router , it sure looks like one a friend of mine owns ... i'll be checking later on today .