Exploit released for vulnerability targeted by Linksys router worm

The list of affected router models is larger than previously thought

Technical details about a vulnerability in Linksys routers that's being exploited by a new worm have been released Sunday along with a proof-of-concept exploit and a larger than earlier expected list of potentially vulnerable device models.

Last week, security researchers from the SANS Institute's Internet Storm Center identified a self-replicating malware program that exploits an authentication bypass vulnerability to infect Linksys routers. The worm has been named TheMoon.

The initial report from SANS ISC said the vulnerability is located in a CGI script that's part of the administration interface of multiple Linksys' E-Series router models. However, the SANS researchers didn't name the vulnerable CGI script at the time.

On Sunday, a Reddit user identified four CGI scripts that he believed were likely to be vulnerable. An exploit writer, who uses the online alias Rew, later confirmed that at least two of those scripts are vulnerable and published a proof-of-concept exploit.

"I was hoping this would stay under wraps until a firmware patch could be released, but it appears the cat is out of the bag," Rew wrote in the exploit notes.

The exploit also contains a list of Linksys routers that Rew believes might be vulnerable based on strings extracted from the original TheMoon malware. The list includes not only models from the Linksys E-Series, but also from the Wireless-N product line.

The following models are listed: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N. However, Rew notes that the list might not be accurate or complete.

Linksys owner Belkin confirmed that some Wireless-N routers are also affected, but didn't name the exact models.

"Linksys is aware of the malware called 'The Moon' that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers," said Karen Sohl, director of global communications at Belkin, in an emailed statement Sunday. "The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default."

Sohl said customers can disable the remote management feature and reboot their routers to remove the malware, which suggests that the worm is not persistent across reboots.

Linksys published a technical article on its website with instructions on how to install the latest firmware version and disable remote management on affected devices. This solution might not be practical for router administrators who need to manage devices deployed in remote locations, but so far it appears to be the only official mitigation strategy offered by the vendor.

"Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks," Sohl said.

The public release of a proof-of-concept exploit exposes the vulnerable routers to potential opportunistic and targeted attacks in addition to TheMoon malware threat. Cybercriminals have recently started compromising home routers to launch attacks against online banking users, suggesting the risk associated with serious vulnerabilities in routers is not just theoretical.

Join the PC World newsletter!

Error: Please check your email address.

Tags Linksysonline safetySANS InstituteNetworkingsecurityroutersbelkinExploits / vulnerabilitiesmalwarenetworking hardwareintrusion

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?