Linksys Response to Alleged Security Vulnerability on its BEFSR41 Router
linksys.com
The Linksys 4-Port Cable/DSL Router (BEFSR41) using firmware version prior to 1.42.7 is susceptible to a remote gozila.cgi script attack only when the default setting is reconfigured to enable "Remote Administration" and the intruder knows the password. Internal gozila.cgi attacks only take place if a user inadvertently activates a malicious link, file or other form of code that includes the password or tricks the user into entering the password, similar to the way an email virus is triggered.
Since Linksys ships all its routers with "Remote Administration" disabled by default, the vulnerability issue raised by iDEFENSE Security Advisory 10.31.02a cannot be executed remotely unless a user has purposely enabled remote access and the password is known such as not changing the Linksys default password or the password is given out to others.
Other similar products on the market with a "Remote Administration" feature may also be prone to alleged security vulnerabilities when remote access is enabled and the intruder knows the password. Internal cgi attacks can best be avoided by not clicking on links or executing programs from untrusted sources.
Linksys encourages its router users to upgrade BEFSR41 router firmware to 1.42.7 or later, and to disable "Remote Administration" whenever the feature is not being used. All Linksys routers have the "Block WAN Request" feature enabled by default as an additional security measure, preventing users from being "pinged," or pinpointed, on the Internet. Linksys also encourages network users to practice standard security measures regularly, such as changing default passwords on network devices and disabling idle remote access.
The BEFSR41's latest firmware version 1.43 is available for free download at linksys.com.
[mark's note:looks to me like basically, most BEFSR41 users have nothing to worry about if they have a good strong password (in place of the linksys default password, which is 'password', i believe), and as long as they have not changed the factory default settings for remote administration. in addition, checking the default setting for blocking WAN requests is advisable, per the linksys response.
i was relieved to confirm that my settings are correcto, and one of the very first things i did when i configured the router way back when was to put a strong password in place. if i'm not mistaken, linksys supports up to 64 characters for the password. i ran out of imagination after 32 characters.
as always, safe computing standards call for selecting passwords that are a combination of alpha and numeric characters.... but we all knew that.
after viewing the bulletin, i now know that the very best course of action for me to take regarding firmware upgrades for the BEFSR41 router is TO DO NOTHING!] |
