Researchers at security consultancy firm DefenseCode announced on Friday they had discovered a remote root access vulnerability affecting the default installation of a Linksys router. Since they said it likely affected multiple models, and pointed out Linksys has sold more than 70 million routers today, we contacted Cisco on Monday and were given the following statement:
Linksys takes the security of our products and customers’ home networks very seriously. Although we can confirm contact with DefenseCode, we have no new vulnerability information to share with customers – for our WRT54GL or other home routers. We will continue to review new information that comes to light and will provide customer updates as appropriate.
The story started to gather steam on Wednesday, however, so we got in touch with Cisco again, which told us it is still investigating the reported issue. Since Cisco has nothing more to share, we can only go off on what DefenseCode has said thus far.
Update on December 17: Cisco has confirmed the vulnerability, but only in one router model (the WRT54GL). See the bottom of this article for more.
The security firm says it contacted the networking company “months ago” and shared a detailed vulnerability description along with a proof of concept exploit. Cisco allegedly told DefenseCode that the vulnerability had already been fixed in the latest firmware release, which turned out to be incorrect: the researchers say the latest official Linksys firmware (4.30.14) and all previous versions are still vulnerable.
Here’s a demo video of the exploit, tested on a Linksys WRT54GL:
“Due to the severity of this vulnerability, once again we would like to urge Cisco to fix this vulnerability,” DefenseCode said. We agree that Cisco needs to hurry up, but DefenseCode also should wait until the issue is fixed before posting the exploit code publicly.
Update on January 17: Below is Cisco’s updated statement.
Following our assessment of information recently released by DefenseCode, we have confirmed a vulnerability in the Linksys WRT54GL home router. At this point, no other Linksys products appear to be impacted. We have developed and are testing a fix for this issue, and will release it for our customers as soon as possible. Until this time, customers using the WRT54GL can stay safe by ensuring their wireless network is securely configured, and the only people using an Ethernet cable for connecting to the router are friends. Linksys takes the security of our products and customers’ home networks very seriously, and we will continue provide updates as they become available.
Image credit: Daniel McCoy