Linksys SMART WiFi EA series routers have firmware vulnerabilities that could expose the administrator password, according to a Carnegie Mellon’s CERT advisory.
The first vulnerability CVE-2014-8243, allows an “unauthenticated attacker on the local area network (LAN) can read the router’s .htpassword file by requesting http(s)://<router_ip>/.htpasswd.”
The administrator password can be found as an MD5 hash in the “.htpasswd” file.
To exploit it, the attacker must be connected to the router’s network. This means the attacker has access to the router’s network but not to the router’s administrator panel.
The second vulnerability lies in the fact that a “remote, unauthenticated user can issue various JNAP calls by sending specially-crafted HTTP POST requests to http(s)://<router_ip>/JNAP/.”
This way, “depending on the JNAP action that is called, the attacker may be able to read or modify sensitive information on the router.”
The Java-based JNAP utility, built on the Java Portal Communication Module (Java PCM) API, is used to “to test the database connection, load flists from files, use the flists as input when calling opcodes on the server, and display output flists,” according to its documentation on Oracle’s web site.
The EA series routers also expose several ports of the administrator interface by default, such as 100080 and 52000, and others, depending on the model.
At the time of the writing, fixes for the two vulnerabilities have been issued for the following router: E4200v2, EA4500, EA6200, EA6300, EA6400, EA6500, EA6700 and EA6900.Fixes for the EA2700 and EA3500 routers have not yet been released.
The vulnerabilities are under review by the National Institute of Standards and Technology (NIST), who runs the National Vulnerability Database (NVD).