Linksys EA - 2700, 3500, 4200, 4500 w/ Lighttpd 1.4.28 Unauthenticated Remote Administration Access

Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 using
lighttpd 1.4.28 and Utopia on Linux 2.6.22

Firmware Version: 1.0.14 EA2700
Firmware Version: 1.0.30 EA3500
Firmware Version: 2.0.36 E4200
Firmware Version: 2.0.36 EA4500

Impact: - Major

Timeline: - Still awaiting word back from Linksys support. Partial
disclosure at the present due to the impact; Full disclosure in near
future if warranted.

Vulnerabilities:

• Unauthenticated remote access to all pages of the router
  administration GUI, bypassing any credential prompts under certain
  common configurations (see below)
• Direct access to several other critical files, unauthenticated as well

Vulnerability Conditions seen in all variations:

• Remote Management - Disabled
• UPnP - Enabled
• IPv4 SPI Firewall Protection - Disabled

Although not the same symptoms as the bug that plagues most ASUS
routers that are AiCloud enabled with WebDav, the utilization of both
UPnP and SSL on lighttpd v 1.4.28 appears to be an extremely
problematic combination, exposing certain vulnerabilities to the WAN
side of the router.

Recommendations-

• Disable UPnP
• Enable at minimum the built in IPv4 SPI firewall
• Oddly, in some instances, resetting the password and doing a full
  power down reboot has shown to close the vulnerability, but not always
• Disallow remote access from the WAN side - both http and https
• Changing the default user name and password won't help in this case,
  but it always bears repeating
• Since an attacker has access to enable FTP service, USB drives
  mounted in the router should be removed until a patch is out, or the
  full scope of the issue is known

Testing additional firmware is ongoing.