RE: Serious flaw in Linksys wireless AP password security Aug 15 2005 10:42PM
Robert Thompson Jr. (rthompson columbiabank com) (1 replies)
Re: Serious flaw in Linksys wireless AP password security Aug 16 2005 05:59PM
Steve Scherf (steve moonsoft com)
FYI, the problem I reported has been reproduced over at Broadband Reports:


Steve Scherf
steve (at) moonsoft (dot) com [email concealed]

On Mon, Aug 15, 2005 at 03:42:03PM -0700, Robert Thompson Jr. wrote:
> From: "Robert Thompson Jr." <rthompson (at) columbiabank (dot) com [email concealed]>
> Subject: RE: Serious flaw in Linksys wireless AP password security
> Date: Mon, 15 Aug 2005 15:42:03 -0700
> To: Steve Scherf <bugtraq (at) moonsoft (dot) com [email concealed]>, bugtraq (at) securityfocus (dot) com [email concealed]
> When upgrading my WRT54GS (v 1.0) router to the 4.50.6 and 4.70.6
> firmwares, I experienced no such authentication problems.
> If the router was set wide open, I could connect without authentication.
> As soon as I specified WPA-PSK on the router, in order for me to connect
> via the NIC I absolutely had to have the WZC configured for WPA-PSK
> (TKIP or AES accordingly) and HAD to have the correct password
> configured as well. (And the SSID of course...)
> If the proper settings were not configured into the WZC after enabling
> WPA-PSK, I was not able to connect to the router.
> I am certain of these details as I was trying to get the WPA2 feature to
> work on my NIC that didn't have WPA2 certified drivers at the time. I
> ended up trying every damned near possible configuration before
> realizing that it was my drivers that weren't working on my NIC before
> having to settle with just WPA until Linksys updated their drivers on
> their website...
> Though, since we are on the subject of the WRT54GS router. The 4.50.6
> and 4.70.6 firmwares enable the WPA2 feature. AND Linksys was kind
> enough to finally release WPA2 certified drivers for the WPC54GS NIC's
> (and I am assuming the WPC54G) as well. So if you haven't updated, you
> may want to condsider doing so for the increased security.
> Rob.
> -----Original Message-----
> From: Steve Scherf [mailto:bugtraq (at) moonsoft (dot) com [email concealed]]=20
> Sent: Sunday, August 14, 2005 12:53 AM
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: Serious flaw in Linksys wireless AP password security
> It appears that firmware version 4.50.6 for the Linksys WRT54GS
> (hardware version 1) wireless router allows wireless clients to connect
> and use the network without actually authenticating. With WPA
> Personal/TKIP authentication enabled, the unit allows both clients using
> encryption with the correct settings and key, and clients not using any
> encryption. It disallows clients attempting to use encryption with the
> wrong settings and/or key.
> In other words, even if you think you've secured your wireless network
> from unauthorized access, anyone can access it. It actually shows up as
> having no password security on a Macstumbler scan, which is how I
> noticed the problem.
> I verified that anyone can access the network without needing to know
> the key.
> I did not check security modes other than WPA/TKIP. Other modes may have
> different behavior. Changing the "Authentication Type" setting had no
> effect on this problem. I believe it should be set to "Shared Key", but
> the setting used does not appear to matter.
> I only verified the problem on firmware 4.50.6. It is unknown if other
> firmware versions exhibit the problem. However, at least one older
> firmware does not exhibit the problem, as my router functioned correctly
> until I updated to 4.50.6.
> The problem appears to be fixed in version 4.70.6. No expliclit notice
> of this problem or the fix appears in the release notes for version
> 4.70.6.
> Strangely, the "Authentication Type" must be set to "Auto" for the unit
> to function properly. Should it be set to "Shared Key", which one might
> expect to be the correct value, the wireless functionality appears to be
> entirely disabled.
> It is unknown if this problem is seen with other hardware versions, or
> with other models. I suspect it may, given the similarity between many
> of the Linksys models and their firmware.
> --
> Steve Scherf
> bugtraq (at) moonsoft (dot) com [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus