RE: Serious flaw in Linksys wireless AP password security
When upgrading my WRT54GS (v 1.0) router to the 4.50.6 and 4.70.6
firmwares, I experienced no such authentication problems.
If the router was set wide open, I could connect without authentication.
As soon as I specified WPA-PSK on the router, in order for me to connect
via the NIC I absolutely had to have the WZC configured for WPA-PSK
(TKIP or AES accordingly) and HAD to have the correct password
configured as well. (And the SSID of course...)
If the proper settings were not configured into the WZC after enabling
WPA-PSK, I was not able to connect to the router.
I am certain of these details as I was trying to get the WPA2 feature to
work on my NIC that didn't have WPA2 certified drivers at the time. I
ended up trying every damned near possible configuration before
realizing that it was my drivers that weren't working on my NIC before
having to settle with just WPA until Linksys updated their drivers on
their website...
Though, since we are on the subject of the WRT54GS router. The 4.50.6
and 4.70.6 firmwares enable the WPA2 feature. AND Linksys was kind
enough to finally release WPA2 certified drivers for the WPC54GS NIC's
(and I am assuming the WPC54G) as well. So if you haven't updated, you
may want to condsider doing so for the increased security.
Rob.
-----Original Message-----
From: Steve Scherf [mailto:bugtraq@xxxxxxxxxxxx]
Sent: Sunday, August 14, 2005 12:53 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Serious flaw in Linksys wireless AP password security
It appears that firmware version 4.50.6 for the Linksys WRT54GS
(hardware version 1) wireless router allows wireless clients to connect
and use the network without actually authenticating. With WPA
Personal/TKIP authentication enabled, the unit allows both clients using
encryption with the correct settings and key, and clients not using any
encryption. It disallows clients attempting to use encryption with the
wrong settings and/or key.
In other words, even if you think you've secured your wireless network
from unauthorized access, anyone can access it. It actually shows up as
having no password security on a Macstumbler scan, which is how I
noticed the problem.
I verified that anyone can access the network without needing to know
the key.
I did not check security modes other than WPA/TKIP. Other modes may have
different behavior. Changing the "Authentication Type" setting had no
effect on this problem. I believe it should be set to "Shared Key", but
the setting used does not appear to matter.
I only verified the problem on firmware 4.50.6. It is unknown if other
firmware versions exhibit the problem. However, at least one older
firmware does not exhibit the problem, as my router functioned correctly
until I updated to 4.50.6.
The problem appears to be fixed in version 4.70.6. No expliclit notice
of this problem or the fix appears in the release notes for version
4.70.6.
Strangely, the "Authentication Type" must be set to "Auto" for the unit
to function properly. Should it be set to "Shared Key", which one might
expect to be the correct value, the wireless functionality appears to be
entirely disabled.
It is unknown if this problem is seen with other hardware versions, or
with other models. I suspect it may, given the similarity between many
of the Linksys models and their firmware.
--
Steve Scherf
bugtraq@xxxxxxxxxxxx