Title: Multiple Linksys Devices DHCP Information Disclosure and Denial of Service Vulnerability
Severity: HIGH
Description:
Linksys BEF, WRT and WRV devices are broadband routers featuring various combinations of wireless access points, and small hubs.
It has been reported that the built-in DHCP server on these devices is prone to an information disclosure vulnerability. When attempting to exploit this issue, it has been reported that a denial of service condition may occur, preventing legitimate users from using the device.
The DHCP server application on the device reportedly does not handle BOOTP packets properly, and can disclose the contents of the device's memory to an attacker. It may be possible for an attacker to use this vulnerability to watch traffic on an affected device.
In order for the attacker to exploit this vulnerability, they would craft BOOTP packets and broadcast them to the device. The reply packets may contain portions of the router's memory - including contents of packets as they pass through the router. As the attacker sends a number of these packets, there is a possibility that the device will stop routing packets and require a restart.
It may be possible for an attacker to steal the router administrator's password or other sensitive data as it passes through the router. An attacker may also possibly crash the router, denying service to legitimate users.
Affected Products:
- Linksys BEFCMU10
- Linksys BEFN2PS4 1.42.7
- Linksys BEFSR41W
- Linksys BEFSR81
- Linksys BEFSX41 1.42.7
- Linksys BEFSX41 1.43.0
- Linksys BEFSX41 1.43.3
- Linksys BEFSX41 1.43.4
- Linksys BEFSX41 1.44.0
- Linksys BEFSX41 1.44.3
- Linksys BEFSX41 1.45.3
- Linksys BEFVP41 1.40.0 .3f
- Linksys BEFVP41 1.40.0 .4
- Linksys BEFVP41 1.42.7
- Linksys EtherFast BEFN2PS4 Router
- Linksys EtherFast BEFSR11 Router 1.40.2
- Linksys EtherFast BEFSR11 Router 1.41.0
- Linksys EtherFast BEFSR11 Router 1.42.3
- Linksys EtherFast BEFSR11 Router 1.42.7
- Linksys EtherFast BEFSR11 Router 1.43.0
- Linksys EtherFast BEFSR11 Router 1.43.3
- Linksys EtherFast BEFSR11 Router 1.44.0
- Linksys EtherFast BEFSR41 Router 1.35.0
- Linksys EtherFast BEFSR41 Router 1.36.0
- Linksys EtherFast BEFSR41 Router 1.37.0
- Linksys EtherFast BEFSR41 Router 1.38.0
- Linksys EtherFast BEFSR41 Router 1.39.0
- Linksys EtherFast BEFSR41 Router 1.40.2
- Linksys EtherFast BEFSR41 Router 1.41.0
- Linksys EtherFast BEFSR41 Router 1.42.3
- Linksys EtherFast BEFSR41 Router 1.42.7
- Linksys EtherFast BEFSR41 Router 1.43.0
- Linksys EtherFast BEFSR41 Router 1.43.3
- Linksys EtherFast BEFSR41 Router 1.44.0
- Linksys EtherFast BEFSR41 Router 1.45.7
- Linksys EtherFast BEFSR81 Router
- Linksys EtherFast BEFSR81 Router 2.42.7
- Linksys EtherFast BEFSR81 Router 2.44.0
- Linksys EtherFast BEFSRU31 Router 1.40.2
- Linksys EtherFast BEFSRU31 Router 1.41.0
- Linksys EtherFast BEFSRU31 Router 1.42.3
- Linksys EtherFast BEFSRU31 Router 1.42.7
- Linksys EtherFast BEFSRU31 Router 1.43.0
- Linksys EtherFast BEFSRU31 Router 1.43.3
- Linksys EtherFast BEFSRU31 Router 1.44.0
- Linksys EtherFast BEFVP41 Router
- Linksys EtherFast BEFVP41 Router 1.39.64
- Linksys RV082
- Linksys WAP55AG 1.0.7
- Linksys WPC300N - Wireless-N Notebook Adapter 4.100.15.5
- Linksys WRT54G v2.0 2.0.0 0.8 (Firmware)
References:
- Linksys: BEFSR41 V1, V2, and V3 DHCP Server and BOOTP Packet Vulnerability
- Linksys: Cable/DSL Routers Product Page
- Linksys: Linksys Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
