Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Critical Flaw Discovered In DD-WRT

kdawson posted more than 5 years ago | from the my-router-my-self dept.

Security 225

MagicM writes "A critical flaw has been discovered in DD-WRT, a Linux based alternative open source firmware for WLAN routers such as the fan-favorite Linksys WRT54GL. The flaw can give an attacker instant root access to the router merely by embedding an image with a specially crafted URL in a Web page (CSRF attack)." The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device.

Sorry! There are no comments related to the filter you selected.

This is a common stack in wifi APs (2, Insightful)

BadAnalogyGuy (945258) | more than 5 years ago | (#28806481)

Yes, there's a fix for this, but what is the likelihood of every person who owns a Wifi router fixing this flaw?

We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.

Just because we love Linux doesn't mean that we should sacrifice the entire ecosystem to that love. We need to nurture other implementations to prevent this type of virus from wiping out our entire networking infrastructure.

Mod Parent Up (2, Interesting)

zarthrag (650912) | more than 5 years ago | (#28806503)

You know, as much as I used to complain about the many different distros - you've got a damn good point.

Re:Mod Parent Up (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28806523)

I traded my 360 for a Wii. Why? Because I already have a computer.

Re:Mod Parent Up (2, Insightful)

TheLink (130905) | more than 5 years ago | (#28807611)

Uh, they don't have to use different distros.

If people just disabled remote admin (which you should do anyway) and used different router IPs (e.g. not 192.168.1.1 or the usual), then attackers either need to do additional stuff to figure out what your default gateway is (and thus presumably your router IP), or they need to have significant control of a PC attached to the internal network (and presumably able to access the router webpage).

Re:This is a common stack in wifi APs (5, Insightful)

qoncept (599709) | more than 5 years ago | (#28806583)

What are you talking about?

1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?

2. Do you think DD-WRT was really all that much more susceptible to having a flaw than, say, something from Cisco? Or, by the same thought process, do you think open source Linux is inherently more vulnerable than Windows?

3. Homogeny? Huh?! Do you mean the homogeny that's defined has "a significant portion of huge nerds (though certainly not even close to a majority) uses this software" ? How many routers are being used in homes and small businesses around the world? You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware.

Software bugs happen. You don't need to get all philosophical about it. And besides, this is no more dangerous than the much larger number of people probably still using the default password on their router, and probably only slightly more dangerous than the huge number of people who don't have any kind of security. Relax.

Re:This is a common stack in wifi APs (5, Informative)

Anonymous Coward | more than 5 years ago | (#28806765)

3. Homogeny? Huh?! Do you mean the homogeny that's defined has "a significant portion of huge nerds (though certainly not even close to a majority) uses this software" ? How many routers are being used in homes and small businesses around the world? You think enough of them are running DD-WRT to call it a homogeny? Name a router that you think has more instances of DD-WRT installed than the factory firmware.

WRT54GL

http://www.linksysbycisco.com/US/en/products/WRT54GL

Re:This is a common stack in wifi APs (1)

yakumo.unr (833476) | more than 5 years ago | (#28806839)

I'd mod you up if I had points atm :)

Re:This is a common stack in wifi APs (5, Insightful)

narfspoon (1376395) | more than 5 years ago | (#28806901)

[Citation Needed]

If you read the comments on NewEgg.com for that router model, not everyone mentions DD-WRT. Some use other 3rd party firmwares like Tomato or Open-WRT or custom builds. And believe it or not, some even write a positive review for the default factory firmware. The nice thing about that model ("L" version) is the extra memory headroom. Earlier models were stripped and crippled to run a really crappy default firmware from Linksys. BitTorrent crashes these small memory models often.

http://en.wikipedia.org/wiki/Linksys_WRT54G_series#Hardware_and_revisions [wikipedia.org]

Re:This is a common stack in wifi APs (1)

cenc (1310167) | more than 5 years ago | (#28807189)

I would say likly the bufflow routers, as they get bad reviews for their factory firmware but great reviews for their hardware.

By the way I run Tomato on both types.

Re:This is a common stack in wifi APs (0)

Anonymous Coward | more than 5 years ago | (#28807543)

The nice thing about that model ("L" version) is the extra memory headroom. Earlier models were stripped and crippled to run a really crappy default firmware from Linksys.

No, you've got it the wrong way around. Earlier models (up to v5.0) were hackable out-of-the-box. Linksys received quite some flak when they introduced the v5.0 model that had less memory and as such could not be easily re-flashed with third-party firmware. As a remedy they introduced the 54GL model that again had more memory (and a higher price of course).

I have the 54GL as well. It is still one of the very few routers that supports IPv6, exactly because of the ability to use third-party firmware. I do not intend to buy another router unless it supports IPv6 at least as well as my current device.

And to add to the statistics: I run the v23sp2 firmware, so I'm still vulnerable. Now that there's a iptables workaround I'll apply that, but currently the site is slashdotted.

Re:This is a common stack in wifi APs (3, Informative)

Minwee (522556) | more than 5 years ago | (#28807625)

No, you've got it the wrong way around. Earlier models (up to v5.0) were hackable out-of-the-box. Linksys received quite some flak when they introduced the v5.0 model that had less memory and as such could not be easily re-flashed with third-party firmware. As a remedy they introduced the 54GL model that again had more memory (and a higher price of course).

So you agree that earlier models which were released shortly before the WRT54GL, were stripped and crippled. Except for the part where you said he was wrong you just agreed with everything the grandparent poster said.

Re:This is a common stack in wifi APs (2, Funny)

troll8901 (1397145) | more than 5 years ago | (#28807141)

The router appears to glow in the picture.

Does that mean the router has biochemical reactions involving free radicals as well?

Someone call Greenpeace! There's a lack of environmental progress from router makers!

Re:This is a common stack in wifi APs (5, Interesting)

HockeyPuck (141947) | more than 5 years ago | (#28806889)

1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?

You're assuming that all these people that installed dd-wrt on their router installed it on their own routers only. Not their parents, friends etc, and forgot about it.

Do most open source projects have a mailing list in which ONLY important notifications like this go out? In comparison, two years ago I bought a coffee pot from Amazon, and the manufacturer issued a recall for the pot itself. Amazon notified me via email that there was a recall for the pot and provided instructions on how to get a new replacement glass pot. Trolling forums or slashdot isn't exactly my idea of customer service.

If I had bought a Cisco/linksys router and there was a similar problem would I have been notified after registering the product?

Re:This is a common stack in wifi APs (0)

Anonymous Coward | more than 5 years ago | (#28807247)

1. If people not only updated the firmware on their router, but had to do hacks to get it on there, don't you think they're probably at least a tad more likely to keep the firmware up to date than Joe Blammo with the factory firmware installed?

You're assuming that all these people that installed dd-wrt on their router installed it on their own routers only. Not their parents, friends etc, and forgot about it.

Do most open source projects have a mailing list in which ONLY important notifications like this go out? In comparison, two years ago I bought a coffee pot from Amazon, and the manufacturer issued a recall for the pot itself. Amazon notified me via email that there was a recall for the pot and provided instructions on how to get a new replacement glass pot. Trolling forums or slashdot isn't exactly my idea of customer service.

If I had bought a Cisco/linksys router and there was a similar problem would I have been notified after registering the product?

You are probably referring to the 'add me to the blabla-product mailing list? receive product updates and security notifications!! Just type your email address here' link when you download the software. Amazon probably put you on their list without your permission.

Re:This is a common stack in wifi APs (1)

Deadstick (535032) | more than 5 years ago | (#28807285)

Name a router that you think has more instances of DD-WRT installed than the factory firmware.

Linksys WRT54GL. The one they market through online dealers (no brick-and-mortar stores that I know of) specifically for people who want a Linux-based router that's friendly to third-party firmware.

rj

Re:This is a common stack in wifi APs (3, Insightful)

nitsew (991812) | more than 5 years ago | (#28806607)

Yes, there's a fix for this, but what is the likelihood of every person who owns a Wifi router fixing this flaw?

We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.

Just because we love Linux doesn't mean that we should sacrifice the entire ecosystem to that love. We need to nurture other implementations to prevent this type of virus from wiping out our entire networking infrastructure.

What is the likelihood of any flaw on any system getting patched? I don't see how a vulnerability in DD-WRT is any different than if Cisco announced a major vulnerability in one of their systems. I bet just about the same percentage would be patched.

Re:This is a common stack in wifi APs (1)

Shads (4567) | more than 5 years ago | (#28806905)

In reality I would wager less of the dd-wrt routers would get patched, but only because a lot of them were deployed by non-professionals who will likely not see the news.

Re:This is a common stack in wifi APs (1)

nitsew (991812) | more than 5 years ago | (#28806989)

In reality I would wager less of the dd-wrt routers would get patched, but only because a lot of them were deployed by non-professionals who will likely not see the news.

That is a good point, but I would have to disagree. I think that if someone is going to deploy DD-WRT, they would probably be as likely to see an article or two on it. Most of the people I know that use DD-WRT are geeky security types anyway. :)

Re:This is a common stack in wifi APs (2, Funny)

DavoMan (759653) | more than 5 years ago | (#28807269)

Zomg they have discovered a vulnerability in EARTH! My infastructure runs on earth! Oh noes!! F1 key! F1!!!

Re:This is a common stack in wifi APs (4, Insightful)

middlemen (765373) | more than 5 years ago | (#28806625)

We talk about the dangers of homogeny, but this is exactly the type of thing that homogeny causes. All the routers with DD-WRT implemented to save costs, but in the end everyone is screwed.

As opposed to using the base software from Linksys/Cisco where you don't know where the flaws lie, and if someone figures it out, it rarely ever gets published on the web openly or gets fixed soon enough in a firmware update. How is that different ? At least if you use Linux, you have people who care, and only people who care about their networks or improved experience with their routers use DD-WRT/OpenWRT/Other in the first place. Most just use the default software on their routers, which remains unpatched for a large portion of its use if at all.

Re:This is a common stack in wifi APs (4, Informative)

Mad Merlin (837387) | more than 5 years ago | (#28806671)

It's hardly an issue with every wireless router. For example, the Tomato firmware is not vulnerable to this. Furthermore, most routers with DD-WRT are custom flashed, they don't come stock with it.

Re:This is a common stack in wifi APs (2, Informative)

Anonymous Coward | more than 5 years ago | (#28806925)

+1 for Tomato, that firmware is awesome and rock solid.

Re:This is a common stack in wifi APs (2, Insightful)

Anonymous Coward | more than 5 years ago | (#28806729)

If you had a PIX, Sonicwall, Monowall, Linksys, Netgear etc.. router and it had a similar flaw, you would be equally screwed because you still have to fix it. I hope you don't think using those products is 100% risk free and that they never need patched/updated.
It doesn't matter if 1000 people are using [Router_X] or 100 million people are using it. This type of flaw on your equipment is not safer, better, worse, or any less of a flaw or risk to you and your network regardless of the overall penetration of that router in the field. Would you honestly feel safer and feel your network is better protected if you were using a different brand router and it had a similar flaw?

   

Re:This is a common stack in wifi APs (1)

Shads (4567) | more than 5 years ago | (#28806921)

/me winces as he remembers all the web vulnerabilities on the PIX.

Re:This is a common stack in wifi APs (2, Insightful)

Shads (4567) | more than 5 years ago | (#28806879)

What you're advocating, in a round about way, is security through obscurity.

Security through obscurity doesn't work.

All security through obscurity does is propagate a false sense of security that you're safe because you've not heard any major news headlines telling you that you're vulnerable... meanwhile, you've been rooted for 3 months.

Re:This is a common stack in wifi APs (1)

Co0Ps (1539395) | more than 5 years ago | (#28807235)

Maybe in theory, but in the real world security trough obscurity works, even if you like it or not. It works in the sense that it makes potential exploits harder to find. Have you ever tried reverse engineering? Digging trough ASM code looking for potential exploits IS a lot harder when you don't have the source code. This is a fact.

Software with more potential explotits is not automatically less secure. You got to take the probability that they will be found into account. And other factors.

Re:This is a common stack in wifi APs (1)

TypoNAM (695420) | more than 5 years ago | (#28807525)

but in the real world security through obscurity works, even if you like it or not.

It's working alright, for those who exploit unknown vulnerabilities to create problematic disasters such as botnets. And then there was those instances of flaws discovered in Diebold Election Systems (now known as Premier Election Solutions [wikipedia.org] ) voting machines too.

Security through obscurity works. (3, Interesting)

TheLink (130905) | more than 5 years ago | (#28807475)

I disagree. Security through obscurity works.

For example: in this case if you had already changed your router's IP address, it would be harder for the attackers to figure it out. For example if you use the 10.35.79.184, the same url that can exploit thousands of other dd-wrt routers (e.g. http://192.168.1.1/etcetc ), won't work on your router. So there has to be an attack specifically targeting you[1]. Which rarely happens unless you're famous or have made yourself infamous (or well-hated amongst hacker circles).

So you have more time to update your router or even have time to wait to see if the updates don't break other stuff first.

You're not as vulnerable to zero-day attacks as other people.

Same goes for putting running sshd servers on a different port. I could use port knocking or other other stuff, but so far running it on a different port works well enough for me.

I actually have my sshd server bound on an IP and port that's unreachable from outside, and my firewall has a rule to forward outside connections to it. This way if a mistake happens and my firewall rules get disabled/cleared, ssh and other crap from outside won't work.

[1] If a top hacker was targeting you specifically, they'd probably be able to pwn you.

For example:
1) I'm sure there are many zero-day browser/plugin exploits left (just look at how fast the pwn2own winners pwn stuff - they just sacrifice one of the zero-day exploits they have).
2) I doubt most ISPs have locked their BGP stuff down, so the attackers could use "BGP eavesdropping/prefix attacks" to hijack your connections.

With 1) and 2) you'd be merrily browsing your usual sites and pwned without noticing a thing- the hacker would just pass most of the traffic on, and just alter one or two connections to exploit the relevant browser bug.

It's "homogeneity" (2, Informative)

Merdalors (677723) | more than 5 years ago | (#28806947)

We have to nip this in the bud: it's "homogeneity" (Webster, Oxford)

Sorry about that.

Re:It's "homogeneity" (4, Funny)

BadAnalogyGuy (945258) | more than 5 years ago | (#28807001)

langs morf. get use 2 it.

Re:This is a common stack in wifi APs (0)

Anonymous Coward | more than 5 years ago | (#28807009)

If you're complaining about Linux as 3rd party firmware on WRTs then you are sorely misinformed. The one I recently purchased proudly states "powered by Linux" on the box and offers details about obtaining the source code:

http://imgur.com/1SWbL.jpg

Standard Practices (4, Insightful)

karnal (22275) | more than 5 years ago | (#28806499)

I was wondering: How can this attack be carried out if the external web management is turned off? From the article:

Note: The exploit can only be used directly from outside your network over the internet if you have enabled remote Web GUI management in the Administration tab. As immediate action please disable the remote Web GUI management. But that limitation could be easily overridden by a Cross-Site Request Forgery (CSFR) where a malicious website could inject the exploit from inside the browser.

The Shashdot blurb does state "The linked page notes that a fix is being rolled out (build 12533) and gives firewall rules to thwart the attack if the fix is not available yet for a particular device." but that statement doesn't curb a lot of the "The Sky is FALLING!" reactions....

Basically, I would NEVER allow remote web management of a device if it's on the internet. I believe the default for DD-WRT is to disable it as well, so you'd have to go in and tell the device that you want to enable this feature. All in all, I think for most users, this issue is a non-issue.

Re:Standard Practices (4, Informative)

BigHungryJoe (737554) | more than 5 years ago | (#28806553)

Maybe I'm misunderstanding, but if the exploit is "injected from inside the browser" then won't the management of the device be coming from the local interface, not the internet side?

Re:Standard Practices (2, Informative)

tonyreadsnews (1134939) | more than 5 years ago | (#28806663)

Yea, thats what I got from that statement too.

The easy way is to go directly in through the remote Web GUI.

slightly harder to go in through the browser running inside the network.

Re:Standard Practices (2, Interesting)

Culture20 (968837) | more than 5 years ago | (#28806937)

Thus why you don't allow web management even on the local interfaces except with a specific IP that isn't your workstation. The possibilty of http redirects to default local IPs that routers use (attempting default password logins) has been around since their inception.

Re:Standard Practices (1)

camperdave (969942) | more than 5 years ago | (#28807255)

Yes, but you're hardly likely to try to exploit your own device, are you? Attempts to exploit the flaw will be coming from the internet. By turning off remote configuration, a malicious hacker would have to find a proxy server on your LAN and bounce the attack off that to your device.

Re:Standard Practices (2, Interesting)

BigHungryJoe (737554) | more than 5 years ago | (#28807495)

coming from the internet, but executed from YOUR browser. That's the danger they're talking about.

Re:Standard Practices (1)

tolan-b (230077) | more than 5 years ago | (#28807645)

Indeed. Though CSRF flaws are also dependent on you being logged into the vulnerable application at the time that you visit the compromised website (or that the application doesn't require any login but I'd be very surprised if that were the case here).

Re:Standard Practices (1)

ekimminau (775300) | more than 5 years ago | (#28807483)

Maybe Im missing something here but:

1) If you have your DD-WRT installed router inside your home network and assigned a private, not pulic IP

and

2) You do not port forward from the internet to your private VLAN the port for the administrative interface

and

3) You only allow administration from your LAN or Wireless LAN

and

4) your Wireless LAN is securely configured to only allow connections from people using the appropriate security

then

My understanding of the vulnerability is that unless someone is on your LAN or wireless LAN, they would have no way to submit the crafted URL to your DD-WRT installed router and this is all a bunch of hoopla.

Am I misunderstanding something?

Re:Standard Practices (1, Redundant)

karnal (22275) | more than 5 years ago | (#28806565)

Alright, I'm a n00b. I didn't read that second line fully before posting regarding the injection.

Re:Standard Practices (0)

Anonymous Coward | more than 5 years ago | (#28807335)

Actually you will fit right in with the general crowd here, although you are being an over-achiever by neglecting to read the summary.

Re:Standard Practices (5, Informative)

gamefreak1450 (887066) | more than 5 years ago | (#28806603)

Basically, I would NEVER allow remote web management of a device if it's on the internet.

Good idea, but this is a critical exploit because hackers can make an img tag load the malformed URL. If they can trick you into viewing that image, then your router will be compromised from your computer on the network. Disabling the external management will prevent internet users from compromising your router, but it is still vulnerable to local threats, as executed through the CSRF method.

Re:Standard Practices (2, Funny)

Anonymous Coward | more than 5 years ago | (#28806719)

Good idea, but this is a critical exploit because hackers can make an img tag load the malformed URL.

What about dentists? Can dentists make an img tag to load the malformed URL too, or just hackers?

Re:Standard Practices (0)

Alarash (746254) | more than 5 years ago | (#28806949)

Yes. Only if you enabled the management from the WAN interface, as I understand, are you vulnerable. And you deserve to be hacked if you did that, really.

Re:Standard Practices (0)

Anonymous Coward | more than 5 years ago | (#28807311)

Nope

Re:Standard Practices (1)

Xua (249955) | more than 5 years ago | (#28807007)

Basically, I would NEVER allow remote web management of a device if it's on the internet. I believe the default for DD-WRT is to disable it as well, so you'd have to go in and tell the device that you want to enable this feature. All in all, I think for most users, this issue is a non-issue.

Sure in DD-WRT external web access is disabled by default so it is necessary to enable it manually. But it is a quite convenient thing because DD-WRT provides a Wake-On-Lan functionality and it is possible to turn computers on in the LAN. When I go to work I can leave my home computer off and if I need it, I can turn it on using my router. Now I had to disable external web access until I update firmware to a safe version.

Worse than that (4, Informative)

tomtomtom (580791) | more than 5 years ago | (#28806501)

It's worse than a specially crafted image - there's a code injection flaw in the httpd server so merely accessing a URL that looks like "http://routerIP/cgi-bin/;command_to_execute" will do the trick. That URL can be put in a malicious tag on an HTML page and the user most likely won't even notice it.

See the Register article [theregister.co.uk] on it from a couple of days ago.

Re:Worse than that (1)

Lumpy (12016) | more than 5 years ago | (#28806875)

disable http.

only use https for router config access.

All of a sudden the attack vector is useless.

Re:Worse than that (1)

michaelhood (667393) | more than 5 years ago | (#28807003)

Congrats on not understanding how the internet works.

Re:Worse than that (2, Informative)

hoosbane (643500) | more than 5 years ago | (#28807037)

Um... no. The URLs that break this work just as well over HTTPS. And the firewall rule they offer to protect against the hack won't protect the HTTPS port, so you're actually *more* vulnerable over HTTPS. Of course, the CSFR attack can be mitigated by just not using the default IP range for your router.

Re:Worse than that (2, Interesting)

twistah (194990) | more than 5 years ago | (#28807183)

Did you bother even reading the article? The code is in httpd.c, which obviously handled both types of connections. I almost hate SSL sometimes because people equate it with security -- but not encryption or integrity, but that somehow it's a magical fix-all for whatever the security flaw is. I see this kind of thinking in IT people in charge of the enterprise and it scares me. Security is not about having a setting enabled, and it certainly requires much more analysis than a simple dismissive suggestion.

Re:Worse than that (1)

MikeURL (890801) | more than 5 years ago | (#28807371)

So if you have forgotten your password then this is your lucky day?

Re:Worse than that (1)

noidentity (188756) | more than 5 years ago | (#28807451)

It's worse than a specially crafted image - there's a code injection flaw in the httpd server so merely accessing a URL that looks like "http://routerIP/cgi-bin/;command_to_execute" will do the trick.

I tried to go to that URL but I just got a message "command 'command_to_execute' not found". Why doesn't it work?

proving once again (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#28806507)

that linux isn't ready for the desktop.

I'd download the patch but... (1, Funny)

Anonymous Coward | more than 5 years ago | (#28806571)

my router keeps redirecting me to porn sites and scrolling "pWnD by c0d3k177y" in HTML marquee tags at the top of my browser.

Re:I'd download the patch but... (0)

Anonymous Coward | more than 5 years ago | (#28807211)

It means you should cancel your FARK account.

Oh no! (0, Flamebait)

AtomicDevice (926814) | more than 5 years ago | (#28806585)

Because attackers will certainly have difficulty cracking your crappy wep key in 5 minutes or less, or guessing that your username and password is "linksys"/"admin"
And it's only if you have web management enabled? who does that anyways? "Yeah I like to change my wifi password from work sometimes, or maybe forward some ports without having to log into my home machine"

Re:Oh no! (0, Redundant)

TheMeuge (645043) | more than 5 years ago | (#28806817)

And the reason you cannot specify that only wired connections can access the management interface is what exactly?

Re:Oh no! (1)

ShadowRangerRIT (1301549) | more than 5 years ago | (#28806997)

That does block the nastier exploit (explained below). But there is another vector which that doesn't address: commands issued *from* your browser. Steps:

  1. You visit a malicious webpage for one reason or another (read: porn, warez)
  2. The webpage contains a malicious resource request (I'm not clear on whether it could an img tag would be sufficient, but JS could definitely do it) that occurs on page load
  3. The request actually goes straight to your router, which interprets it as a perfectly legitimate management order

The bigger exploit is if you enabled remote management. In that case you don't even have to turn on your computer, they can just directly access your router from the outside. But exploits that require you to visit a malicious link, in any common browser, are still serious.

it sucks...but (1, Informative)

Em Emalb (452530) | more than 5 years ago | (#28806615)

Bravo to them for owning up to it and also posting the fix on the same page.

The interesting thing I've read a lot here is how vulnerable and worthless Microsoft is when it comes to security...but it seems the people that think this automatically point to Linux as being secure.

Linux is somewhat secure, but a LOT of the security of linux is due to a limited (unfortunately) market share. If Linux owned 30% or more of the market space for end-user goods, we'd see a HUGE influx of hacks, malware, adware, etc.

It flabbergasts me that people don't see this. The greatest thing Linux has going for it is the collaboration and freedom of the code. With that freedom comes the ability to exploit it. Wait til market share gets larger, it'll start to happen a lot more than the rare article here and there. The good news, though, is again, they identified the problem AND THE FIX on the same page. (Something MS has to be drug kicking and screaming along in order to do that)

Re:it sucks...but (0)

Anonymous Coward | more than 5 years ago | (#28806763)

Post faster, friend. Your comments are wasted so far down in the thread.

Re:it sucks...but (2, Insightful)

Anonymous Coward | more than 5 years ago | (#28806887)

Linux is somewhat secure, but a LOT of the security of linux is due to a limited (unfortunately) market share. If Linux owned 30% or more of the market space for end-user goods, we'd see a HUGE influx of hacks, malware, adware, etc.

Exactly - that's the same reason why there are so many malware authors targetting Apache!

Oh wait..

Re:it sucks...but (1)

mini me (132455) | more than 5 years ago | (#28807095)

LOT of the security of linux is due to a limited (unfortunately) market share

Well, it is hard to compete with Apple's 91% market share [cnet.com] .

Re:it sucks...but (0)

Anonymous Coward | more than 5 years ago | (#28807501)

For those too lazy to click on the article, that figure is specifically "retail computers that are over $1000". In other words, it doesn't include any reasonably priced retail PC or any power-users who build their own computers that come to totals over $1000. It's a meaningless statistic.

Re:it sucks...but (1)

jabjoe (1042100) | more than 5 years ago | (#28807105)

I don't by the market share argument. Linux is already very widely spread, just not on the desktop. It should be a target for hacks now as the many web servers running it should be juicy targets.

Also, because of package management, malware and adware is never go to be an issue, not unless you add a infected repository. My bet is most "normal" linux users, don't add repositories anyway. They just think of add/remove software as if it was a less polished iStore. They don't install stuff from any random place, and chances are don't know how to.

The old home-use admin-login issue, I admit, isn't as fair to shout windows down for anymore as steps have been taken as of Vista to address this weakness.

You second argument is that open source is going to be less secure. This is a big debate. One I think the open source guys have all but won. "Security via obscurity is no security at all." etc etc. I go with that because if a company thinks no one knows, or will know, I doubt they will fix it, it's a cost analysis thing. Where as when some finds a open source one, they shout about it, which is fine, they deserve the cred.

Re:it sucks...but (1)

Em Emalb (452530) | more than 5 years ago | (#28807205)

just not on the desktop

This is what I was talking about, for the record. Hopefully I'm wrong. Hopefully linux will overtake MS and be the future of the desktop, we'll see. But if linux is the future, it will need to be more secure as more and more non-technical people use it. According to the latest market share report, linux has 1% of the desktop market. 1%.

wtf is a DD-WRT? (-1, Flamebait)

js3 (319268) | more than 5 years ago | (#28806641)

what the hell is a DD-WRT? Can someone find a list of actual routers that are affected by this instead of speaking in geek terms?

Re:wtf is a DD-WRT? (0)

Anonymous Coward | more than 5 years ago | (#28806703)

It's a third party firmware for most wireless routers. So, it affects whatever devices YOU install it on

Re:wtf is a DD-WRT? (1)

Hatta (162192) | more than 5 years ago | (#28806715)

Your statement is exactly analogous to this one:

What the hell is a linux? Can someone find a list of actual computers that are affected by this instead of speaking in geek terms?

If you had dd-wrt, you would know.

Re:wtf is a DD-WRT? (4, Informative)

Pulse_Instance (698417) | more than 5 years ago | (#28806737)

DD-WRT is custom firmware that supports more than 200 different devices. This page [dd-wrt.com] will tell you if your device is supported. Someone who wants to use DD-WRT needs to get one of those devices then install this firmware. To answer your question no, someone can not find a list of actual routers that are affect by this. It is likely though that only geeks have it installed and that means that it is more likely that they will patch it.

DD-WRT is a lie! (0, Informative)

Anonymous Coward | more than 5 years ago | (#28807385)

Some jackass named brainslayer stole the openwrt source code, wrote a dinky (and obviously poorly written) web interface for it and branded the whole thing as "his" and probably said fuck the gpl and the golden goose it rode in on.

See: http://www.bitsum.com/about-ddwrt.htm

Re:wtf is a DD-WRT? (1)

nitsew (991812) | more than 5 years ago | (#28806777)

what the hell is a DD-WRT? Can someone find a list of actual routers that are affected by this instead of speaking in geek terms?

Dude... This is Slashdot. What did you expect? :) This should have all of the information you need: http://www.google.com/search?source=ig&hl=en&rlz=&=&q=dd-wrt&aq=f&oq=&aqi=g10 [google.com]

Re:wtf is a DD-WRT? (1, Informative)

Anonymous Coward | more than 5 years ago | (#28806869)

If you don't know what is dd-wrt, then you are not affected. Those who have it installed it themselves. There are also a few companies selling routers pre-flashed with dd-wrt but again their market isn't the average joe. By the way, google is your friend.

Does this affect the non-wireless router? (0, Offtopic)

improfane (855034) | more than 5 years ago | (#28806743)

I have the non-wireless version of this router (BEFSR41)

Does anyone know if affects that too?

Re:Does this affect the non-wireless router? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28806853)

Well, that depends if you installed DD-WRT on it. If you did, then you're affected. If you have the Linksys firmware, then you're not.

Re:Does this affect the non-wireless router? (1)

nitsew (991812) | more than 5 years ago | (#28807063)

I have the non-wireless version of this router (BEFSR41)

Does anyone know if affects that too?

It will only affect routers that have the DD-WRT firmware loaded on them. You have to load that firmware yourself, so you would more than likely know if this flaw affected you.

Re:Does this affect the non-wireless router? (2, Insightful)

ShadowRangerRIT (1301549) | more than 5 years ago | (#28807089)

If you installed DD-WRT, yes. This has nothing to do with any technical specs on the router; it's a software processing bug that is exploitable either via an incoming connection from the internet (if remote management is enabled) or if any local user accesses a carefully crafted malicious website.

Re:Does this affect the non-wireless router? (1)

mouseblue (1602125) | more than 5 years ago | (#28807135)

You have to re-flash the firmware to install DD-WRT (or Tomato, Open-WRT, etc).

I don't even see your device listed here: http://www.dd-wrt.com/wiki/index.php/Supported_Devices [dd-wrt.com]

It's mostly Broadcom or Atheros chipset WiFi routers that are supported.

Re:Does this affect the non-wireless router? (1)

improfane (855034) | more than 5 years ago | (#28807621)

I have Tomato on my outward inner router but this doesn't seeem to be affected as it's based on Linksys' own firmware.

DD-WRT !GPL Compliant (or open source) (5, Informative)

Anonymous Coward | more than 5 years ago | (#28806751)

DD-WRT just isn't compliant with the GPL on so many levels.calling it an "open source" firmware is a lie and a disgrace to the open source community.

The open source parts are OpenWRT.

Re:DD-WRT !GPL Compliant (or open source) (5, Informative)

Anonymous Coward | more than 5 years ago | (#28806991)

DD-WRT is Harmful [bitsum.com] to open source

Please look at this picture ... (5, Interesting)

janwedekind (778872) | more than 5 years ago | (#28806771)

... to add a firewall-rule fixing this issue.

Linksys suck (-1, Troll)

FudRucker (866063) | more than 5 years ago | (#28806849)

especially since Cisco took over, before they were just cheap but usable, now you cant even navigate their crappy flash bloated website, i am going to buy a Netgear router as soon as i get my paycheck today, then post a rant on youtube why Linksys sucks to much.

you hear that Cisco, customers that just want the info and support dont want their web browsers bogged down with a bunch of stupid & useless graphics and flash animations, fire your webmasters and graphics designers and get a clean yet simple website that is easy to navigate without flash

Sorry to see you go (4, Funny)

Anonymous Coward | more than 5 years ago | (#28806981)

Greetings, I am a Linksys customers service representative. While I'm sorry to hear that you'll be leaving us, I'd like to remind you that if you have to wait for your paycheck in order to purchase a piece of home networking equipment, perhaps navigating flash based websites is the least of your worries. Have you considered going back to school?

Re:Linksys suck (2, Insightful)

ShadowRangerRIT (1301549) | more than 5 years ago | (#28807053)

Wait, what? Are you against the Linksys website or their routers? Of all the reasons to reject a router, poor corporate website design is not that high on my list of priorities:
  1. Security
  2. Compatibility
  3. Ease of use
  4. Performance
  5. ...
  6. Corporate website design

Feel free to hate Linksys for any of the other reasons. I was royally pissed off for a long time by the relentless router reboots caused by poor interaction between the logging mechanism and BitTorrent; thankfully they released fixed firmware for that a few years ago. But I'm not going to drop them just because they overuse Flash.

Re:Linksys suck (-1, Troll)

FudRucker (866063) | more than 5 years ago | (#28807403)

well, lets see, i never updated the firmware on a Linksys wrt54g version 8.2 so i go to Cisco/Linksys website to check on a firmware update since the topic of this vulnerability comes up and i find the website's pages to select the router version wont load (v.8.2) since i can not even see if i need a firmware update i consider that router no longer safe to use, is it vulnerable?, is it even still supported? maybe it is time to switch router brands to another company that that has a website where i can at least check to see if there is a firmware update.

Re:Linksys suck (3, Informative)

ShadowRangerRIT (1301549) | more than 5 years ago | (#28807473)

If you paid even a lick of attention to TFA, you'd note that this is a vulnerability in third party software. If you've got stock firmware, you don't need to update, and if you don't have stock firmware, you couldn't get the update from Linksys anyway.

Old news (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28806927)

This was just posted now? LOL

Keeping up (0, Offtopic)

dvhirt (956314) | more than 5 years ago | (#28806967)

This has been reported since at least 2009-07-20. Common Slashdot, keep up!

Congrats on taking almost 4 days to post this! (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28806985)

I submitted this story more than 72 hours ago. It's been public knowledge for at least 96 hours. I know this isn't strictly a security site, but c'mon! Four days is too long for a remote exploit on one of the most widely deployed consumer router platforms.

This issue is way overblown. FUD (0, Redundant)

Anonymous Coward | more than 5 years ago | (#28807011)

This only affects users who enabled remote web management which is turned off by default. Remote web management is a setting that lets you access and change settings over the Internet which would be stupid to turn on in the first place except under special circumstances (i.e., router was behind other routers and you needed to change settings remotely.

FURTHERMORE, it only affects http, NOT https.. and if you are configuring network infrastructure settings or router passwords without a secure connection over the Internet, you shouldn't be managing networks.

It is a security issue, but this is way overblown... It's not going to affect 99.999% of the userbase.. I wish whoever submitted this fud would have actually read the article or understood the problem.

Re:This issue is way overblown. FUD (3, Informative)

abcabcabc (1603255) | more than 5 years ago | (#28807125)

Nope, it affects https as well. Furthermore, it does not require remote web management since the attack can be carried out via CSRF.

Re:This issue is way overblown. FUD (0)

Anonymous Coward | more than 5 years ago | (#28807147)

Forgot to say.. you can be affected by internet sources if you use http for the internal web management (a default). So.. if you get a remote site to have a browser on the internal network display a malicious image, yea you are in bad shape.

Resume panicking! This is bad.

Re:This issue is way overblown. FUD (1)

jafiwam (310805) | more than 5 years ago | (#28807329)

Huh? With a URL in a web page the request comes from the browser run by the person sitting inside the network.

How is that a "remote web management" issue? Remote web management would allow a login attempt from anywhere on the internet.

This attack does not need that.

I think YOU need to go re-read the article and come back and explain how a URL on an internal machine is going to try to connect to the external interface of the router (which is what the "remote web management" does, turns on the WAN interface to accept logins.

How did this happen? (5, Interesting)

MobyDisk (75490) | more than 5 years ago | (#28807023)

The bug resides in DD-WRT's hyper text transfer protocol daemon, which runs as root.

Whhaaat??? And the command looks like:

http://routerIP/cgi-bin/;command_to_execute

Whhaaat???

This is a bug even Adobe would be ashamed to admit. An http server, running as root, accepts arbitrary commands, without authentication, embedded in a URL? That's not a bug thats... that's a design flaw... no... that's... unbelievable!

Is there a legitimate reason that the http daemon runs as root? (It is for embedded devices...) Or that commands are accepted over HTTP GET like that?

NoScript! (2, Informative)

WD (96061) | more than 5 years ago | (#28807099)

NoScript actually mitigates this vulnerability. The ABE feature, in particular:
http://noscript.net/abe/ [noscript.net]

So although I added the firewall mitigation in dd-wrt, I was pleased to find that NoScript blocked the CSRF request before it even got to the router.

An easy work around (1)

jafiwam (310805) | more than 5 years ago | (#28807273)

An easy work around for this is make the router URL IP address on the LAN side not easily predictable.

Stick it somewhere in the 10. private IP space block and any code injection not also stumbling on the correct URL and will instead get a "Server not found" error.

This will vastly reduce the chances of getting hit by any future as of yet undiscovered security problems using a URL, updated patches or not.

The nasty "loses all settings" DDWRT bug (0)

Anonymous Coward | more than 5 years ago | (#28807527)

I know its not a security setting, but this one bug that the DDWRT team won't admit to keeps me from using it. Here's the discussion:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=8895&postdays=0&postorder=asc&start=255

I got bit by that a few times, and reflashed to Tomato and haven't had ANY problems. Now, I now the DDWRT team claims its not a bug with their software, but rather an oddity with the hardware. Sooooo, if it ONLY happens on their build, and NEVER has happened to me on Tomato...sure sounds like it could be fixed in software....

This is not true (1)

IsaacD (1376213) | more than 5 years ago | (#28807613)

there is no such thing as a "flaw" in Linux.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?