User: Password:
Subscribe / Log in / New account


Brief items

When routers go bad

May 23, 2007

This article was contributed by Jake Edge.

Broadband routers are ubiquitous these days, so much so that they go unnoticed; unless they fail, no one pays any attention to them. These routers run some kind of embedded OS, often Linux, on a fairly capable hardware platform which makes them interesting targets for an attacker. Because they tend to be invisible and unmonitored, subverting routers without affecting their normal function makes a perfect hidden space for malicious code to run.

As a recent Bugtraq posting from Gadi Evron points out, there have already been a few reports of vulnerable routers and we can only expect to see more. Even if the router manufacturers are staying on top of vulnerabilities in their codebase, which is not a foregone conclusion, there are still serious questions about how a largely non-technical user base will be assisted or forced into upgrading their firmware. The logistics of getting the right firmware and upgrade program into a user's hands and having them run it correctly so that their router does not turn into a brick is rather daunting. One can only imagine the volume of support calls that could be generated.

In many cases, the router makers are selling special versions of their hardware to specific broadband providers who sell or lease them to their customers. This allows the router maker to leave the support burden to the providers who typically already have a large technical support organization. It is unclear whose responsibility it is to track security issues and ensure that any critical vulnerabilities are patched, it probably depends on the contract. The broadband providers typically host any updates and manufacturer's websites refer users looking for updates there. It certainly seems like a situation where vulnerabilities could fall through the cracks.

As an example, Qwest provides a router for their DSL customers, made by Actiontec, that is based on Linux 2.4.17 which was released in December 2001. Since that time, there have been numerous 2.4 kernel releases, with the most recent, having been released in April. Many of those releases have been done for security problems in various subsystems, including one for CAN-2005-0449 which could potentially lead to a denial of service from a bug in the netfilter packet filtering code. It is unclear if the router is susceptible to this particular problem, one hopes not, but there are plenty of other candidates, in the other security bug fixes or any that come up in the future.

Any outward (broadband) facing network service is, of course, a potential vector for security issues. Many of these routers serve web pages for configuration as well as allowing telnet or ssh connections for maintenance. One hopes that these services can only be configured to run on the internal network. Even then, many of these routers provide a wireless bridge in addition to ethernet on the LAN side and that may expose those services more broadly.

Once a router has been subverted, it could be turned to any number of malicious tasks; the simplest might be to add it to a botnet for spamming or distributed denial of service. It does not take much in the way of CPU horsepower or RAM to perform those kinds of tasks and they could easily run on many routers without interfering in any noticeable way. An attack focused on a particular individual could potentially intercept and report on all of their internet traffic; there is no better place for spyware on a network.

It is not only routers, of course, that are vulnerable, any embedded device could be a target, but routers have the network connectivity that makes them particularly interesting and accessible. Long before we start putting wireless network connected Linux systems in control of our cars, the need for vigilance about security updates for embedded devices must be ingrained into users. It needs to become as obvious to people as the need for an anti-virus scanner on Windows has become.

Comments (10 posted)

New vulnerabilities

clamav: file descriptor leak

Package(s):clamav CVE #(s):CVE-2007-2029
Created:May 21, 2007 Updated:May 23, 2007
Description: File descriptor leak in the PDF handler in Clam AntiVirus (ClamAV) allows remote attackers to cause a denial of service via a crafted PDF file.
Debian-Testing DTSA-37-1 clamav 2007-05-22
Debian DSA-1281-2 clamav 2007-05-21

Comments (none posted)

libpng: denial of service

Package(s):libpng CVE #(s):CVE-2007-2445
Created:May 17, 2007 Updated:March 23, 2009
Description: Libpng can be crashed when processing malformed PNG files. It may also be possible to exploit this vulnerability to execute arbitrary code.
Gentoo 201412-11 emul-linux-x86-baselibs 2014-12-11
Oracle ELSA-2012-0317 libpng 2012-02-21
Debian DSA-1750-1 libpng 2009-03-22
Debian DSA-1613-1 libgd2 2008-07-22
Fedora FEDORA-2008-3979 libpng10 2008-05-28
Ubuntu USN-472-1 libpng 2007-06-11
Mandriva MDKSA-2007:116 libpng 2007-06-05
Gentoo 200705-24 libpng 2007-05-31
Fedora FEDORA-2007-0001 libpng10 2007-06-01
Fedora FEDORA-2007-529 libpng 2007-05-24
Fedora FEDORA-2007-528 libpng 2007-05-24
Red Hat RHSA-2007:0356-01 libpng 2007-05-17
OpenPKG OpenPKG-SA-2007.013 ghostscript 2007-05-18
Foresight FLEA-2007-0018-1 libpng 2007-05-17
Slackware SSA:2007-136-01 libpng 2007-05-17
rPath rPSA-2007-0102-1 libpng 2007-05-16

Comments (none posted)

mod_security: remote rule bypass

Package(s):mod_security CVE #(s):CVE-2007-1359
Created:May 17, 2007 Updated:May 23, 2007
Description: The Apache mod_security extension has a remote rule bypass vulnerability. A remote attacker can exploit this by sending a specially crafted POST request that bypasses the module ruleset. The attacker can potentially use this to execute arbitrary code with the privileges of the web server.
Gentoo 200705-17 mod_security 2007-05-17

Comments (none posted)

mydns: buffer overflows

Package(s):mydns CVE #(s):CVE-2007-2362
Created:May 23, 2007 Updated:December 17, 2007
Description: Multiple buffer overflows in MyDNS allow remote attackers to cause a denial of service (daemon crash) and possibly execution of arbitrary code.
Debian DSA-1434-1 mydns 2007-12-16
Debian-Testing DTSA-36-1 mydns 2007-05-22

Comments (none posted)

phpwiki: remote code execution

Package(s):phpwiki CVE #(s):CVE-2007-2024 CVE-2007-2025
Created:May 17, 2007 Updated:September 12, 2007
Description: The phpwiki Upload page does not properly check the extension of a file. This can be used by a remote attacker to upload a specially crafted PHP file and execute arbitrary PHP code with the privileges of the PhpWiki user.
Debian DSA-1371-1 phpwiki 2007-09-11
Gentoo 200705-16 phpwiki 2007-05-17

Comments (none posted)

ratbox: denial of service

Package(s):ratbox CVE #(s):
Created:May 18, 2007 Updated:May 23, 2007
Description: A Denial of Service (DoS) vulnerability exists in the Ratbox IRC Daemon, versions up to and including 2.2.5. Too many pending connections to the server from a single unknown client could result in a resource starvation.
OpenPKG OpenPKG-SA-2007.017 ratbox 2007-05-18

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds