Cisco Talos is disclosing several vulnerabilities in the operating system on the Linksys E Series of routers.

Multiple exploitable OS command injection vulnerabilities exist in the Linksys E Series line of routers. An attacker can exploit these bugs by sending an authenticated HTTP request to the network configuration. An attacker could then gain the ability to arbitrarily execute code on the machine.

The E Series is a line of routers for small and home offices that contain several features to make them easier to use. The routers are designed to connect home computers, internet-ready TVs, game consoles, smartphones and other Wi-Fi devices.

Vulnerability Details

TALOS-2018-0625 describes three related vulnerabilities: CVE-2018-3953, CVE-2018-3954 and CVE-2018-3955.

Many of the configuration details passed to the E Series of routers during their configuration must be retained across a device's power cycle. Since the device has only one writable directory (/tmp) and that directory is cleared on reboot, the device uses NVRAM to store configuration details.

All command injection paths follow this process:

When the apply.cgi page is requested with parameters indicating a change to persistent configuration settings, those parameters are processed by the 'get_cgi' function call during, which then get placed directly into NVRAM via a 'nvram_set' call.

After certain configuration changes are made, including both of the changes associated with these vulnerabilities, the device must be rebooted. The httpd binary handles this by sending a SIGHUP signal to PID 1, a binary named 'preinit'. The device then enters a code path where it restarts all necessary system services.

When the 'preinit' binary enters this code path, it exposes functionality where raw data from nvram_get calls is passed into system commands.

In CVE-2018-3953, the data entered into the 'Router Name' input field through the web portal is submitted to apply.cgi as the value to the 'machine_name' POST parameter. The machine_name data goes through the nvram_set process described above. Eventually, within the 'start_lltd' function, a 'nvram_get' call is used to obtain the value of the user-controlled 'machine_name' NVRAM entry. This value is then entered directly into a command intended to write the hostname to a file and then execute it.

CVE-2018-3954 applies to the same input field but follows a slightly different code path. Here, the vulnerability is triggered by 'set_host_domain_name' function in libshared.so where nvram_get is called against the 'machine_name' parameter. The result of that operation is subsequently combined with a string via a sprintf call and passed directly into the system command.

Finally, in CVE-2018-3955, the data entered into the 'Domain Name' input field through the web portal is submitted to apply.cgi as the value to the 'wan_domain' POST parameter. The wan_domain data goes through the nvram_set process described above.

When the 'preinit' binary receives the SIGHUP signal, it enters a code path that calls a function named 'set_host_domain_name' from its libshared.so shared object, which calls nvram_get against the 'wan_domain' parameter. The result of that operation is subsequently combined with a string via a snprintf call and passed directly into the system command.

Affected devices

The vulnerabilities are confirmed in multiple devices of the Linksys E Series of wireless routers with various firmware versions. Users are advised to update their routers to the latest version released by the manufacturer.

Discussion

Home routers have become one of the main targets for malicious attacks. Although these vulnerabilities require the attacker to have already authenticated with the device, the vulnerabilities are serious as they allow a potential attacker full control over the device, which may include installation of additional malicious code.

Widespread internet-of-things attacks such as Mirai and VPNFilter show that attackers will keep their focus on discovering new vulnerabilities which would allow them to infect devices and conduct large scale as well as targeted attacks. These attacks are more difficult to detect and protection is available only after their manufacturers update the firmware and patch the vulnerability.

Keeping the device firmware up to date is crucial to avoid SOHO routers participating in a distributed denial-of-service (DDoS) attack or becoming an infection vector in an attack targeted to your organization.

Coverage

The following SNORTⓇ rule detects attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort rule: 47133