[NEWS] Linksys WRT54GS WPA Personal/TKIP Authentication Flaws

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Linksys WRT54GS WPA Personal/TKIP Authentication Flaws
------------------------------------------------------------------------


SUMMARY

Linksys WRT54GS is "Internet-sharing Router, 4-port Switch, and 
performance enhanced Wireless-G (802.11g) Access Point". A flaw in Linksys 
WRT54GS Wireless Router allows unauthorized access when WPA/TKIP 
authentication mode is on.

DETAILS

Vulnerable Systems:
 * Linksys WRT54GS firmware version 4.50.6

It appears that firmware version 4.50.6 for the Linksys WRT54GS (hardware 
version 1) wireless router allows wireless clients to connect and use the 
network without actually authenticating. With  
<http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access> WPA Personal/ 
<http://en.wikipedia.org/wiki/TKIP> TKIP authentication enabled, the unit 
allows both clients using encryption with the correct settings and key, 
and clients not using any encryption. It disallows clients attempting to 
use encryption with the wrong settings and/or key.

In other words, even if you think you've secured your wireless network 
from unauthorized access, anyone can access it. It actually shows up as 
having no password security on a Macstumbler scan, which is how the 
problem noticed. It was verified that anyone can access the network 
without needing to know the key.

No security modes other than WPA/TKIP were checked. Other modes may have 
different behavior. Changing the "Authentication Type" setting had no 
effect on this problem. Its believed it should be set to "Shared Key", but 
the setting used does not appear to matter.

The problem was verified only on firmware 4.50.6. It is unknown if other 
firmware versions exhibit the problem. However, at least one older 
firmware does not exhibit the problem, as router functioned correctly 
until updated to 4.50.6.

The problem appears to be fixed in version 4.70.6. No explicit notice of 
this problem or the fix appears in the release notes for version 4.70.6. 
Strangely, the "Authentication Type" must be set to "Auto" for the unit to 
function properly. Should it be set to "Shared Key", which one might 
expect to be the correct value, the wireless functionality appears to be 
entirely disabled.

It is unknown if this problem is seen with other hardware versions, or 
with other models. Its suspected it may, given the similarity between many 
of the Linksys models and their firmware.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:bugtraq@xxxxxxxxxxxx> Steve 
Scherf.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.