Several newly disclosed firmware vulnerabilities in the Linksys EA2700 Network Manager router could allow remote attackers to take control of the device, according to security expert Phil Purviance. An information security specialist at AppSec Consulting, Purviance found four software security vulnerabilities, the most severe of which give an attacker administrative control over the router, Ars Technica reported. Belkin, which recently acquired the Linksys brand, said that these vulnerabilities had been fixed in the most recent version of the firmware released last year.
In a post on his website, Purviance outlined four newly discovered vulnerabilities in the Linksys EA2700 router, including a cross-site scripting issue, a file path traversal weakness, a flaw that allows a user to change the password without authentication and enable remote management and an error that allows a user to access the full source code of any page in the administration panel. In conjunction with each other, these vulnerabilities could enable an attacker to quickly take control of the router and gain administrative access to the network.
“If you have this router on your network and you browse [a] malicious website, five seconds later your router now has a new password and is available from the Internet,” Purviance told Ars Technica. “So [an attacker] can just log into it as if [he] was on your network.”
Vulnerable devices are easily discoverable via a Shodan search, Ars Technica reported. Consumers can protect themselves by upgrading the Linksys Smart Wi-Fi Firmware, which Belkin claimed was updated last year to address these vulnerabilities. This is not the first instance of a Linksys router flaw. In January, Cisco, which owned Linksys at the time, acknowledged an issue with the WRT54GL model that would allow an attacker to gain full access.
Rather than navigate a patch cycle and continue to address vulnerability announcements even after fixing issues, companies can strengthen the security of their devices during the development process by using tools such as static analysis software. By instituting a secure development lifecycle, businesses can avoid these complications.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.