Linksys Router Flaws Exposed, Poc Published, Patch Unavailable!

Cybersecurity researchers have recently disclosed two significant security vulnerabilities in the Linksys E5600 router, both of which could allow attackers to perform command injections. These findings, identified by the CoreSecurity OT/ICS Research Team, are particularly concerning as they affect routers operating on Firmware Version 1.1.0.26, for which no patches are currently available.

Understanding the Vulnerabilities

The vulnerabilities, cataloged as CVE-2024-33788 and CVE-2024-33789, both involve command injection exploits that can be triggered due to insufficient input validation mechanisms within the router’s firmware.

CVE-2024-33788: Wi-Fi Protected Setup Flaw

The first vulnerability, CVE-2024-33788, arises in the Wi-Fi Protect Config setting of the router. When a user registers a device using a PIN number, the input is not adequately filtered, allowing for command injection. The specific flaw is located in the router’s Lua script at squashfs-root/usr/share/lua/runtime.lua:1561 where the pt[”PinCode”] value is processed.

function runtime.wpsProcess(pt)
        local ret = '"OK"'

        print("wpsProcess")

    if pt["Mode"] == 'PBC' then
                os.execute("wps_action.sh PBC &")

        elseif pt["Mode"] == 'PIN' and pt["PinCode"] ~= nil then

[1]     cmd = 'wps_action.sh PIN '..pt["PinCode"]..' &'
[2]     os.execute(cmd)

    elseif pt["Mode"] == 'STOP' then
        print("wpsProcess STOP")

        cmd = 'ps | grep wps_action.sh | grep -v grep | awk \'{print $1}\' | xargs kill'
        os.execute(cmd)

        else
        print("wpsProcess Fail")
        end

       return ret
end

Malicious actors can exploit this by injecting commands that the router’s operating system will execute.

CVE-2024-33789: Diagnostics Trouble

The second vulnerability, CVE-2024-33789, is found within the router’s Diagnostics menu, particularly in the ping test function. Here, the input for IP or URL addresses is not properly sanitized, leading to potential command injections. This issue stems from the same Lua script, but at a different point (squashfs-root/usr/share/lua/runtime.lua:491).

function runtime.pingTest(pt)
        local ret = '"NOK"'
        local logpath = "/tmp/ping.log"
        if pt ~= nil then
                print("Stop pingTest")
                os.execute("killall -2 ping")
                ret = '"OK"'
                if pt["count"] ~= nil and pt["pkgsize"] ~= nil and pt["ipurl"] ~=nil then
                        --For x86 -c option is not work
                        local copt=' '
                        if pt["count"] ~= '0' then
                                copt = " -c "..pt["count"]..copt
                        end
[1]                     local cmd = "/bin/ping -W1"..copt.."-s "..pt["pkgsize"].." "..pt["ipurl"].." > "..logpath.." 2>&1 &"
                        print("Do ["..cmd.."]")
[2]                     os.execute(cmd)
                        runtime.savefileline(logpath, "w", "1")
                        ret = '"OK"'
                end
                return ret
        else
                print("Only get ping result")
                ret = runtime.showfilefromline("pingTest", logpath, 1)
        end

        return ret
end

The pt[”ipurl”] field, when manipulated with malicious input, could cause unauthorized command execution, allowing attackers to potentially take control of the device.

Implications of These Flaws

Both vulnerabilities expose users to significant risks, as attackers can leverage these flaws to execute arbitrary commands on the routers. This could lead to unauthorized access to the network, data theft, or even further spread of malware within connected systems. The nature of these vulnerabilities makes them extremely critical, especially in environments where routers like the Linksys E5600 are deployed in large numbers or in sensitive contexts.

The Worrying Factor:

These vulnerabilities are reported to affect Linksys E5600 routers running firmware version 1.1.0.26. Critically, no official patches are currently available. This lack of a security update puts numerous devices at continued risk of exploitation. Additionally, the publication of proof-of-concept code [1, 2] by CoreSecurity means malicious actors now have a blueprint for potential attacks.

What You Can Do to Protect Yourself

1. Check Your Firmware: Verify the firmware version installed on your Linksys E5600 router. If it’s the susceptible version, take measures to minimize the risk.
2. Disable WPS if Possible: While convenient, Wi-Fi Protected Setup has known weaknesses. If it’s not essential for your setup, disable WPS on your router.
3. Be Very Careful with Diagnostics: Avoid using the ping test tool from the router’s interface unless necessary. If you do, input only known and trusted IP addresses or websites.
4. Monitor for Updates: Keep a close eye on Linksys support channels for any news of an official firmware patch. Once an update becomes available, apply it immediately.
5. Consider a Replacement: If your router is a few years old, it may be time to consider an upgrade to a more modern and actively supported model with stronger security features.