Skip to main content

Linksys E-Series Router Vulnerabilities

Five vulnerabilities have been found in several Linksys E-series routers. These are a Denial of Service (DoS) vulnerability, a Cross-Site Request Forgery (CSRF), a cross-site scripting (XSS) vulnerability, an HTTP header injection and improper session protection.
Threat ID:
CC-1722
Category:
Backdoor, DOS
Threat Severity:
Low
Threat Vector:
Published:
24 October 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Five vulnerabilities have been found in several Linksys E-series routers. These are a Denial of Service (DoS) vulnerability, a Cross-Site Request Forgery (CSRF), a cross-site scripting (XSS) vulnerability, an HTTP header injection and improper session protection.

Threat details

There are currently no patches, though a fairly high level of competence is needed to carry out these attacks. The DoS attack is the easiest and does not require authentication from the attacker. It can be triggered by a GET request to a CGI-script to either reboot the device or freeze the web interface and Dynamic Host Configuration Protocol (DHCP) service.

The CSRF in the administrator interface occurs through the hijacking of the session ID over a LAN connection. The user is prompted to click on a malicious link, planted by the attacker. Once clicked, the attacker can change the configuration of the targeted device. The vulnerability can also be exploited via the internet if the session ID is internet-facing.

The XSS vulnerability in the administrator interface is exploited similarly to CSRF. With this exploit, the attacker can execute malicious code in the browser sessions of the user.

The HTTP header injection vulnerability involves the attacker sending a malicious request to the HTTP header to redirect the link to another site or steal the session ID of a user.

Improper session protection prompts an administrator to click a malicious link to allow the attacker to steal their session ID. This exploit requires an administrator to open a session before the attack and the attacker to have the same IP address as the administrator’s PC.

Remediation steps

Type Step
  • Monitor vendors for availability of patches and apply when they become available.
  • Restrict network access to the devices.
  • Temporarily power the devices off if they are not required.
  • Ensure users are aware of exploitation via malicious links.

Last edited: 17 February 2020 11:33 am