10-19-2017 02:45 PM
I certainly agree that it is wrong that you can't disable http access and require https access. I have no idea why Linksys doesn't allow you to disable that.
Also, if you use https access, you will get an error because of a self-signed certificate and you have to add a security exception (at least I did on my EA6200s).
By the way, if you are into alternative firmware (for any of number of reasons), both DDWRT and OPENWRT have repaired the KRACK vulnerability.
What's more serious is it will be months, years or maybe never for many old systems (various Anrdroid and IOS devices, Linux, etc.) to fix their client software for KRACK. So you will be at risk (as you always are) when you use Wi-Fi at a router that you don't control.
10-19-2017 03:24 PM
One of the biggest issues for me is that they marked this solved. Seriously? I should try that with the next bill I get. "I'm reviewing the bill, I now consider this matter resolved. I will send an update to an incredibly vague place that nobody has been able to identify. Thanks for your faith and confidence in Linksys."
10-19-2017 06:50 PM
One thing I think everyone is glosing over is the nature of the attack.
From what I have read this is a client side attack so fixing Velop firmware is needed to prevent child nodes from being vunerable but firmware for "all" other wireless clients will need to be fixed as well or the network will remain vunerabe.
What about the TVs, media playes, cameras, etc. many of which may take a long time to get updates, if at all.
10-20-2017 07:21 AM
10-20-2017 07:33 AM
I put my "things" on the Guest network and reserve my main network for my computers, phone, tablet. If someone hacks the TV, DVR, streaming device, thermostat, it will make my life difficult for sure, but the hacker can't use those to easily access sensitive communications and files on my computer, phone, and tablet. However, that assumes that the router is reasonably secure. The router is the device that is central to communications with the internet, the other "things" are not. Hence, getting the router fixed is key for this vulnerabilty in my estimation. Routers aren't cheap, we all need one, so it is not unreasonable to expect support for a few years at least. Just my opinion.
10-20-2017 08:10 AM
I'm a little confused, I see this as being marked as SOLVED, but I see no firmware update? I see no commitment to a release date? I see no workaround. I really see nothing to answer the question asking for tha patch? How does this solve the issue?
It think this was marked SOLVED prematurely?
10-20-2017 06:20 PM
Hi, everyone. We already have an update regarding the KRACK attack vulnerability. Check out our Security Advisory Page for more information and instruction.
Thank you for your patience.
10-20-2017 09:32 PM
According to SEC-Consult on this page: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-linksys-e-series-products...
It appears Linksys was contacted on 10 July 2017 and ceased contact on 18 September. Perhaps the security team also felt the issue was solved?
VENDOR CONTACT TIMELINE
2017-07-10: Contacting vendor through firstname.lastname@example.org. Set release date to 2017-08-29.
2017-07-12: Confirmation of recipient. The contact also states that the unit is older and they have to look for it.
2017-08-07: Asking for update; Contact responds that they have to look for such a unit in their inventory.
2017-08-08: Contact responds that he verified three of four vulnerabilities.
2017-08-09: Sent PCAP dump and more information about vulnerability #4 to assist the contact with verification.
2017-08-18: Sending new advisory version to contact and asking for an update; No answer.
2017-08-22: Asking for an update; Contact states that he is trying to get a fixed firmware from the OEM.
2017-08-24: Asked the vendor how much additional time he will need.
2017-08-25: Vendor states that it is difficult to get an update from the OEM due to the age of the product (“Many of the engineers who originally worked on this code base are no longer with the company”). Clarified some CORS/SOP issues which were misunderstood.
2017-08-30: Sending Proof of Concept for CSRF/XSS as HTML files to the vendor. Changed the vulnerability description of the advisory to explain the possibility of exploiting the CSRF/XSS vulnerabilities from LAN and WAN side.
2017-09-07: Asking for an update; Vendor agrees with the new vulnerability descriptions and states that the OEM got back to them with a fix for the E2500 and they are in the QA phase. The vendor is expecting fixes for E900, E1200, and E8400 later this week or next week to hand them over to QA.
2017-09-07: Stated that E8400 was not found by the IoT Inspector because there was no firmware available to download online. Stated that it will be available in the next version of the advisory. Shifting the advisory release to 2017-09-26. Asking for confirmation of the other reported devices:
Linksys E900-ME (Version: 1.0.06)
Linksys E1500 (Version: 1.0.06 Build 1)
Linksys E3200 (Version: 1.0.05 Build 2)
Linksys E4200 (Version: 1.0.06 Build 3)
Linksys WRT54G2 (Version: 1.5.02 Build 5)
2017-09-18: Sending new version of the advisory to the vendor. Asking for an update; No answer.
2017-09-21: Asking for an update; No answer.
2017-09-26: Asking for an update; No answer.
2017-10-02: Asking for an update and shifting the advisory release to
2017-10-09; No answer.
2017-10-16: Informing the vendor that the advisory will be released on 2017-10-18 because vendor is unresponsive.
2017-10-18: Public release of security advisory
Regardless of the risk to the average person, this seems to be a pretty mickey mouse response to a pretty severe vulnerability. Over 3 months since initial notification and Linksys is still verifying which SKU's are impacted? This SHOULD have been a concurrent release between Linksys and the security researchers that located the vulnerability. The optics on this response do not give confidence that Linksys/Belkin takes security seriously.