Cisco Talos Intelligence Group's Jared Rittle found three vulnerabilities in the Linksys E Series line of routers which allow attackers to execute arbitrary system commands by exploiting operating system command injections.
"An attacker can exploit these bugs by sending an authenticated HTTP request to the network configuration. An attacker could then gain the ability to arbitrarily execute code on the machine," says the Cisco Talos researcher.
Rittle tested his proofs-of-concept against two Linksys router models, the Linksys E1200 and the Linksys E2500, but according to his advisory, there are other vulnerable routers in the Linksys E series line.
The E Series are routers designed for small business and home office usage, with a host of features that should make it a lot easier to wirelessly connect a wide array of devices from computers and smart TVs to smartphones and gaming consoles.
All vulnerabilities are caused by "improper filtering of data passed to and retrieved from NVRAM" which leads to arbitrary system commands being executed.
The three vulnerabilities can be exploited by attackers only when already authenticated
To exploit the three security issues, attackers can use data they enter "into the 'Router Name' input field through the web portal" or the "the 'Domain Name' input field" in the routers' web-based control panel apply.cgi page to send system commands into the NVRAM.
Cisco Talos disclosed the three issues to Lynksis on July 9, and the vendor patched the E1200 router on August 14 and the E2500 on October 4.
It is also important to mention that the bad actors need to first be authenticated to exploit the vulnerabilities. However, the fact that a successful exploit gives them full control of the routers drastically increases the three issues' severity.
The three vulnerabilities have received the CVE-2018-3953, CVE-2018-3954, and CVE-2018-3955 identification numbers in the Common Vulnerabilities and Exposures database.
All Linksys users of affected routers are advised to update their devices' firmware (.BIN), available for download on the Lynksis firmware update server.