FYI, the problem I reported has been reproduced over at Broadband Reports: http://www.broadbandreports.com/forum/remark,14141344 -- Steve Scherf steve@xxxxxxxxxxxx On Mon, Aug 15, 2005 at 03:42:03PM -0700, Robert Thompson Jr. wrote: > From: "Robert Thompson Jr." <rthompson@xxxxxxxxxxxxxxxx> > Subject: RE: Serious flaw in Linksys wireless AP password security > Date: Mon, 15 Aug 2005 15:42:03 -0700 > To: Steve Scherf <bugtraq@xxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx > > When upgrading my WRT54GS (v 1.0) router to the 4.50.6 and 4.70.6 > firmwares, I experienced no such authentication problems. > > If the router was set wide open, I could connect without authentication. > > As soon as I specified WPA-PSK on the router, in order for me to connect > via the NIC I absolutely had to have the WZC configured for WPA-PSK > (TKIP or AES accordingly) and HAD to have the correct password > configured as well. (And the SSID of course...) > > If the proper settings were not configured into the WZC after enabling > WPA-PSK, I was not able to connect to the router. > > I am certain of these details as I was trying to get the WPA2 feature to > work on my NIC that didn't have WPA2 certified drivers at the time. I > ended up trying every damned near possible configuration before > realizing that it was my drivers that weren't working on my NIC before > having to settle with just WPA until Linksys updated their drivers on > their website... > > Though, since we are on the subject of the WRT54GS router. The 4.50.6 > and 4.70.6 firmwares enable the WPA2 feature. AND Linksys was kind > enough to finally release WPA2 certified drivers for the WPC54GS NIC's > (and I am assuming the WPC54G) as well. So if you haven't updated, you > may want to condsider doing so for the increased security. > > Rob. > > > > -----Original Message----- > From: Steve Scherf [mailto:bugtraq@xxxxxxxxxxxx]=20 > Sent: Sunday, August 14, 2005 12:53 AM > To: bugtraq@xxxxxxxxxxxxxxxxx > Subject: Serious flaw in Linksys wireless AP password security > > It appears that firmware version 4.50.6 for the Linksys WRT54GS > (hardware version 1) wireless router allows wireless clients to connect > and use the network without actually authenticating. With WPA > Personal/TKIP authentication enabled, the unit allows both clients using > encryption with the correct settings and key, and clients not using any > encryption. It disallows clients attempting to use encryption with the > wrong settings and/or key. > > In other words, even if you think you've secured your wireless network > from unauthorized access, anyone can access it. It actually shows up as > having no password security on a Macstumbler scan, which is how I > noticed the problem. > I verified that anyone can access the network without needing to know > the key. > > I did not check security modes other than WPA/TKIP. Other modes may have > different behavior. Changing the "Authentication Type" setting had no > effect on this problem. I believe it should be set to "Shared Key", but > the setting used does not appear to matter. > > I only verified the problem on firmware 4.50.6. It is unknown if other > firmware versions exhibit the problem. However, at least one older > firmware does not exhibit the problem, as my router functioned correctly > until I updated to 4.50.6. > > The problem appears to be fixed in version 4.70.6. No expliclit notice > of this problem or the fix appears in the release notes for version > 4.70.6. > Strangely, the "Authentication Type" must be set to "Auto" for the unit > to function properly. Should it be set to "Shared Key", which one might > expect to be the correct value, the wireless functionality appears to be > entirely disabled. > > It is unknown if this problem is seen with other hardware versions, or > with other models. I suspect it may, given the similarity between many > of the Linksys models and their firmware. > > > -- > Steve Scherf > bugtraq@xxxxxxxxxxxx
