Have a Linksys router? You’ll want to read this.
Technical details about a vulnerability in Linksys routers that’s being exploited by a new worm have been released Sunday along with a proof-of-concept exploit and a larger than earlier expected list of potentially vulnerable device models. Over the last week security researchers from the SANS Institute ISC identified a new self-replicating malware program that exploits an authentication bypass vulnerability to infect Linksys routers. The worm has been named TheMoon. Since the time of their announcement an additional four vulnerabilities have been found and believed to be susceptible to the same exploit.
The following models are listed: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N. However, this list is still growing and may not be accurate or fully complete as testing is still underway.
According to ISC, Linksys owner Belkin confirmed that some Wireless-N routers are also affected, but didn’t name the exact models.
“Linksys is aware of the malware called ‘The Moon’ that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers,” said Karen Sohl, director of global communications at Belkin, in an emailed statement Sunday. “The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default.”
Linksys published a technical article on its website about the vulnerability. This appears to be the only official mitigation strategy offered by the vendor.
This is the latest exploit targeted at “Prosumer” class devices that are used in both home and small business networks. Other exploits have sought to capture information such as banking, credit card, and personal data.
CIT urges the owners of any Linksys or Belkin wireless and/or router products to closely monitor this situation, to disable remote management functionality on your devices, and apply the most recent firmware.