Broadband routers are ubiquitous these days, so much so that they go unnoticed; unless they fail, no one pays any attention to them. These routers run some kind of embedded OS, often Linux, on a fairly capable hardware platform which makes them interesting targets for an attacker. Because they tend to be invisible and unmonitored, subverting routers without affecting their normal function makes a perfect hidden space for malicious code to run.
As a recent Bugtraq posting from Gadi Evron points out, there have already been a few reports of vulnerable routers and we can only expect to see more. Even if the router manufacturers are staying on top of vulnerabilities in their codebase, which is not a foregone conclusion, there are still serious questions about how a largely non-technical user base will be assisted or forced into upgrading their firmware. The logistics of getting the right firmware and upgrade program into a user's hands and having them run it correctly so that their router does not turn into a brick is rather daunting. One can only imagine the volume of support calls that could be generated.
In many cases, the router makers are selling special versions of their hardware to specific broadband providers who sell or lease them to their customers. This allows the router maker to leave the support burden to the providers who typically already have a large technical support organization. It is unclear whose responsibility it is to track security issues and ensure that any critical vulnerabilities are patched, it probably depends on the contract. The broadband providers typically host any updates and manufacturer's websites refer users looking for updates there. It certainly seems like a situation where vulnerabilities could fall through the cracks.
As an example, Qwest provides a router for their DSL customers, made by Actiontec, that is based on Linux 2.4.17 which was released in December 2001. Since that time, there have been numerous 2.4 kernel releases, with the most recent, 126.96.36.199 having been released in April. Many of those releases have been done for security problems in various subsystems, including one for CAN-2005-0449 which could potentially lead to a denial of service from a bug in the netfilter packet filtering code. It is unclear if the router is susceptible to this particular problem, one hopes not, but there are plenty of other candidates, in the other security bug fixes or any that come up in the future.
Any outward (broadband) facing network service is, of course, a potential vector for security issues. Many of these routers serve web pages for configuration as well as allowing telnet or ssh connections for maintenance. One hopes that these services can only be configured to run on the internal network. Even then, many of these routers provide a wireless bridge in addition to ethernet on the LAN side and that may expose those services more broadly.
Once a router has been subverted, it could be turned to any number of malicious tasks; the simplest might be to add it to a botnet for spamming or distributed denial of service. It does not take much in the way of CPU horsepower or RAM to perform those kinds of tasks and they could easily run on many routers without interfering in any noticeable way. An attack focused on a particular individual could potentially intercept and report on all of their internet traffic; there is no better place for spyware on a network.
It is not only routers, of course, that are vulnerable, any embedded device could be a target, but routers have the network connectivity that makes them particularly interesting and accessible. Long before we start putting wireless network connected Linux systems in control of our cars, the need for vigilance about security updates for embedded devices must be ingrained into users. It needs to become as obvious to people as the need for an anti-virus scanner on Windows has become.
|Created:||May 21, 2007||Updated:||May 23, 2007|
|Description:||File descriptor leak in the PDF handler in Clam AntiVirus (ClamAV) allows remote attackers to cause a denial of service via a crafted PDF file.|
|Created:||May 17, 2007||Updated:||March 23, 2009|
|Description:||Libpng can be crashed when processing malformed PNG files. It may also be possible to exploit this vulnerability to execute arbitrary code.|
|Created:||May 17, 2007||Updated:||May 23, 2007|
|Description:||The Apache mod_security extension has a remote rule bypass vulnerability. A remote attacker can exploit this by sending a specially crafted POST request that bypasses the module ruleset. The attacker can potentially use this to execute arbitrary code with the privileges of the web server.|
|Created:||May 23, 2007||Updated:||December 17, 2007|
|Description:||Multiple buffer overflows in MyDNS allow remote attackers to cause a denial of service (daemon crash) and possibly execution of arbitrary code.|
|Package(s):||phpwiki||CVE #(s):||CVE-2007-2024 CVE-2007-2025|
|Created:||May 17, 2007||Updated:||September 12, 2007|
|Description:||The phpwiki Upload page does not properly check the extension of a file. This can be used by a remote attacker to upload a specially crafted PHP file and execute arbitrary PHP code with the privileges of the PhpWiki user.|
|Created:||May 18, 2007||Updated:||May 23, 2007|
|Description:||A Denial of Service (DoS) vulnerability exists in the Ratbox IRC Daemon, versions up to and including 2.2.5. Too many pending connections to the server from a single unknown client could result in a resource starvation.|
Page editor: Jonathan Corbet
Next page: Kernel development>>
Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds