An exploit has surfaced that could allow an attacker to monitor traffic from some Linksys Group Inc. routers or crash the devices.
The exploit, credited to Jon Hart, was published by security alert service SecuriTeam.com and Linksys has yet to release a fix for the issue, according to researchers.
The exploit has been confirmed on BEFSR41 and BEFW11S4 routers, commonly used by small and medium-sized businesses as a broadband gateway, but may affect any Linksys router with a DHCP server, according to Hart.
A newer version of the BEFSR41 is not vulnerable, according to Danish security firm Secunia. The device is available in several versions; versions 1 and 2 use firmware that has not been updated for a year, while version 3 is more up-to-date -- any firmware after version 1.05.00 fixes the problem, Secunia said.
"Unfortunately, newer firmware isn't available for all affected devices despite this being brought to Linksys' attention back in January," Hart told Techworld.
The problem lies with the way the DHCP server handles BOOTP requests, according to Hart. The server responds with BOOTP fields filled with portions of memory; if the router has experienced recent activity, that activity will be recorded in the BOOTP fields. If enough BOOTP packets are sent, the router stops routing packets and must be rebooted to recover, Hart said. The exploit can only retrieve recent traffic.
"I have successfully used this technique to steal the admin user name and password from an innocent third party who recently configured the device, and I watched someone's traffic as they browsed ebay for a new Ti-Book," Hart wrote.
Secunia said that in most cases the vulnerability could only be exploited by users on the local network, if the router is properly configured. "DHCP traffic should be restricted to a local network only," said Secunia researcher Carsten H. Eiram. "Accepting DHCP traffic from the Internet and other untrusted networks is a potential security issue in itself."
Hart agreed, but noted that Linksys routers attached to a wireless network are likely to be more at risk. "'Local network access' has an entirely new meaning when wireless is brought into the picture. It basically means anyone within range of your signal could likely exploit this," he said.