
Linksys CherryBlossom Advisory - jonsouth
http://www.linksys.com/us/support-article?articleNum=263800
======
avaer
> If users believe their router firmware may have been compromised, Linksys
> recommends that users download the latest available firmware from
> [http://www.linksys.com/support/](http://www.linksys.com/support/) and
> update your router.

Is there a hardware feature that makes the firmware boot secure in a way that
prevents the firmware from interfering with the update? Such as croning itself
to reinstall the compromise when you're not looking? Or lying that it updated?

~~~
bsamuels
Linksys security guy here - we got that firmware update tidbit from the
cherryblossom documentation.

The firmware implant (aka flytrap) reproduces all of the router's normal
functionality. On page 122 of the cherryblossom docs, it says that the
firmware upgrade feature is implemented normally by the flytrap, and that if a
user attempts to upgrade their router's firmware, it will overwrite the
flytrap firmware.

~~~
droopybuns
Hey man- professional courtesy here: "if linksys users believe their routers
are compromised" is possibly the worst way to frame this. You should flatly
advise users to update.

~~~
shawnz
There's no patch. The fix is just to reflash Linksys firmware to make sure
you're not running compromised firmware.

------
rdtsc
> If users believe their router firmware may have been compromised,

What would make them believe that? Wish they had a detection tool as well.
Anyone know of one?

~~~
agumonkey
I wonder if there are easy way to dump the firmware and do a sign / hash check
on another machine

~~~
microwavecamera
Not really. Devices like consumer routers just weren't designed with these
things in mind unfortunately.

~~~
agumonkey
Not even with some jtag line ?

~~~
microwavecamera
Sorry I thought you meant an easy way. You could with a jtag interface, but
even then the filesystem would have been modified from normal operation so the
image of the firmware you dumped would have a different hash than the stock
image. You could extract the filesystem and check the binaries and poke around
for thing that shouldn't be there, but all this isn't exactly something the
average person could do to see if they were infected. If you have the
equipment and expertise definitely. Honestly these companies need to step up
their game and just make better products in my opinion. It's not like the
technology isn't available.

------
voltagex_
I wonder if a factory reset is enough in all cases - the source for the
factory reset has to be on the device itself.

I haven't played with it much, but there are ways to persist after a reset on
Android, I'd assume the same is possible here. Very happy to be corrected.

Anyone know what the cheapest Linksys I could buy is, and whether these
vulnerabilities have been released publicly?

~~~
lamlam
If the security of your router is of concern to you I would recommend setting
up your own FreeBSD+pfSense router.

Another option is to setup a vpn server that all your devices connect to to
access the internet. In that scenario it won't matter if your router is
compromised because all traffic flowing through would be encrypted.

~~~
posguy
PFSense runs PHP as root. Let that just sink in for a second, does that sound
like a recipe for security?

Nevermind the community, when it comes to vaguely complex things like IPTV and
similar, support is either legacy or gone.

At this point OpenWRT is the only sane choice, at least it doesn't run
everything as root and isn't going to shove off Multicast UDP packet
forwarding support in the next year or two.

~~~
voltagex_
OpenWRT definitely has quirks, and my vendor thinks spawning hundreds of socat
processes is acceptable in production firmware:
[https://forum.turris.cz/t/ever-increasing-leaking-nuci-
proce...](https://forum.turris.cz/t/ever-increasing-leaking-nuci-
process/3743/7)

------
a3n
So ... the latest available firmware for mine is from jan 2016. Clearly there
would be no _fix_ in that firmware. So the idea is that I'm installing a
known/assumed/hoped "good" firmware, to replace the potentially bad firmware.
Yes?

(And the latest available is newer than what's on my router now, so might as
well.)

~~~
problems
Yes, not an exploit - just a modified firmware that they might have installed
if they broke in via other means (physical or wifi cracking for example).

------
chx
Isn't this a lie though? They do not mention remote compromise and I would bet
dollars to doughnuts most old routers have RCE holes.

~~~
bsamuels
There were no vulnerabilities included in the cherryblossom leak.

If you have any information about RCEs, Cherryblossom details we may have
missed, or any other vulnerabilities in Linksys devices, please email me
directly at benjamin.samuels at belkin.com

~~~
chx
"This customized firmware can be loaded onto a router using one of the
following methods:"

If I understood things correctly, the Cherryblossom thing is a firmware and
while this particular leak didn't mention any new RCEs I am surprised a bit
that the possibility of using any other RCE was categorically ruled out by the
wording of the advisory.

------
dang
Url changed from [http://bitsonline.com/linksys-remove-cia-
tools/](http://bitsonline.com/linksys-remove-cia-tools/), which points to
this.

