1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How much do you trust 443 (Quick VPN)

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ed001, Oct 13, 2006.

  1. ed001

    ed001 Network Guru Member

    Not trying to start a war, I just wanted to get some opinions on Opening Linksys devices to the world via port 443/60443. How secure is their implimentation of ssl? Has anyone here personally banged on it with some pentest tools?

    I havn't yet, I am in the very early stages of learning to use Nessus and plan on learning Metasploit in the future. (working in a test lab of course).

    Just looking for opinions.
  2. net_eng

    net_eng Network Guru Member

    I did a scan with nessus on port 443 and it appears that RV series(at least rv042) with firmware is using an old openssl library. I dont know if this is a false positive but if it is indeed an old library it should be updated.

    Now considering that the source code indicates they are using freeswan which is no longer being updated and linux kernel 2.4 , I guess updating software versions is not on the list of priorities right now :)

    Nessus Scan:
    Synopsis :

    The remote service uses a library which is vulnerable to a buffer overflow

    Description :

    The remote service seems to be using a version of OpenSSL which is
    older than 0.9.6e or 0.9.7-beta3.

    This version is vulnerable to a buffer overflow which, may allow an
    attacker to execute arbitrary commands on the remote host with the
    privileges of the application itself.

    Solution :

    Upgrade to OpenSSL version 0.9.6e (0.9.7beta3) or newer :
  3. ed001

    ed001 Network Guru Member

    That's a little scary. Can anyone verify the openssl version?
  4. DocLarge

    DocLarge Super Moderator Staff Member Member

    Here's an email response I sent back to a guy who was at one time convinced (and still is for that matter) that quickvpn would bring down the entire free world (relax, y'all, it's just jokes :) ) because of the "possibility" that the session could be hijacked. I initially had started a thread regarding how linksys had improved the 50 user quickvpn upgrade license in firmware 2.39.2e for the WRV54G and it somehow morphed into another advertisement of the "insecurity of quickvpn."

    Message starts:

    Makeit Quick <xxxxxxxxxx@yahoo.com> wrote:

    Interesting and still disturbing ...
    For a product that has a GPL kernel but a non GPL application layer -
    I wonder how long the community would wait for Linksys to fix bugs
    (given the assumption that this product is deprecated).

    I also wonder why 50 QVPN license is different than a regular
    firmware - if it's not just a compile time variable than someone
    deliberately neglects the public release.

    last but not least, who would pay for a 50 user license firmware for
    a product that has a severe security bug in QVPN ?

    My Response:

    People who use quickvpn are the same people who would park a car on a busy street knowing it "might" be

    a) dinged by someone elses car door
    b) hit by someone else's car
    c) broken into by someone

    Ultimately, it's a "possibility" that doesn't stop them because it's just "another day." There are more quickvpn users "everyday" and none of them are worried about a "needle in a haystack" possibility of their quickvpn session getting hijacked (truth be told).

    Hey, the users have spoken :), and they aren't particularly bothered about quickvpn's diminutive security hole...

    Two words: "Risk Assessment." Users have looked at the risks involved and have found quickvpn's ease of configuration and IPSEC properties to be worth the risk.

    End Message

    So, unless someone is hanging out and watching "just you" quickvpn is no more insecure than the following examples given above. Granted, like most things, quickvpn can't be guarded against "everything," so there are risks one will always have to take; your assessment of that risk is what makes the difference based on "your need." :)

  5. madmax7774

    madmax7774 LI Guru Member

    the real answer is....

    Unless you are a total Dick on the web, and attract a lot of attention to yourself, OR unless you are a major Identitity on the web, then no one is going to single you out, and bother with you. Your security comes from your anonyminty in the crowd.....
  6. docinthebox

    docinthebox LI Guru Member

    DocLarge, in your QuickVPN setup guide, you mention the need to enable HTTPS on the router. On the WRV200, does that mean enabling remote management by HTTPS? I don't see any other HTTPS that can be enabled. Thanks.
  7. DocLarge

    DocLarge Super Moderator Staff Member Member

    Enabling HTTPS was only required on the RV0xx router's (as posted by a user how did this and was able to use quickvpn); this isn't required for the WRV54G or the WRV200.

  8. mvalenci

    mvalenci LI Guru Member

    here is an updated status http://www.logelog.com/linksys/
  9. DocLarge

    DocLarge Super Moderator Staff Member Member

    Mvalenci (a.k.a. "Make_it_quick),

    I see you've returned pushing the same rhetoric again regarding the "GAPING Hole" that the world will suffer from if they use quickvpn. Well, as it stands, "zero day quickvpn tragedy" still has not struck, and it's not going to unless a person is "directly targeted" and "continually monitored" so their quickvpn session can be captured and replayed."

    As we asked you before when you first spoke of your findings, and subsequently posted said information on Linksysinfo "without" verifying your findings with Linksys-Cisco, have you corroborated your latest facts with Linksys engineers before posting your "home reviewed" discovery on our site again?

    As always, peer reviewed and validated documentation of this nature is best seen at the development level before arbitrarily purporting to be fact... While we don't disagree with you trying to raise awareness, we can't allow anyone to post information of this nature without other sources (namely Linksys-Cisco) having also verified the arguement...

  10. heidnerd

    heidnerd LI Guru Member

    FWIW here is the reference from openssl.org


    There are openssl updates are available for the 2.4 kernel. But they might need to be back ported -- since it does appear that the routers use Freeswan.

    The version of quickvpn just released in the beta zip files... is vulnerable... one release too far back. I see it as 0.9.8c it should be 0.9.8d.

    Does this mean I will not use it.... no - I will use it... Knowing there is a risk and waiting for updates.

    But at the same time the problem is that the hacking community is also getting much better at exploiting the vulnerabilities. see www.metasploit.org so if you vpn server is vulnerable to a certificate spoof and you have valuable content behind it.... be forewarned.

    So it should be a reasonable expectation of the linksys customer base that firmware for current product models will have known vulnerabilities corrected in them within a reasonable period of time. Afterall some government entities are also using these products:cool:
  11. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    I think this is a very well considered response. I'm going to take a look at some of your links. I was aware of the OpenSSL vulnerability but not the possible exploit.

    The webmaster's blog (that's me) at Breezy! has a quicky synopsis of the issues and some potential fixes that are coming down the pipe. Hopefully they will backport OpenSSL with the new firmware. The admin at linksysinfo.org was nice enough to invite me into a small alpha testing group with the Linksys engineers. Maybe they already have implemented the patched OpenSSL..I haven't looked at the new firmware but will try to wack it with Nessus and the latest plug-ins to see what "pops". As you say, the risk is minimum...probably reasonable.

    (I have a link back to the RVxxx, WRVxxx and VPN solutions forum on this site!)

  12. heidnerd

    heidnerd LI Guru Member

    I checked and metasploit does not yet have a publicly posted openssl exploit. However they have a team of individuals that make every effort to post exploits as soon as possible. And the exploits they post are in the form of a do it yourself toolkit --- easily repeatable. Their motivation is that if the exploits are posted - vendors will fix the buggy software. Hence the need to close vulnerability in currently marketed products within a reasonable amount of time after an exploit has been anounced.

    One of the problems with the openssl vulnerability (if I remember right) is the ability to generate an invalid cert that would still be accepted. Also quickvpn (server side) does not force all clients to be using valid certs. You have an option to use an invalid cert (and connect without encryption -- from my reading of the popup window). In those cases the vpn username and password would be sent across the internet in a very easily cracked format. If at a later time the admin forces better certificates on the connecting clients... and there is away to require valid certifications... with a vulnerable version of openssl on the vpn server it may be possible for someone that had captured the prior username and password combination to use one of the exploitable certificates to connect without the network administrators knowledge.

    It is a pretty convoluted scheme that would need to be executed in order to take advantage of any quickvpn weakness. A certain amount of preplanning and waiting. As such for my small network - I am not as concerned and am willing to change the user (one) vpn password frequently from inside the network to counter the problem -- at the present time. My $ risk is low.

    However for frequent travellers and road warriors - it should be a larger concern. Over the last couple of years I've been observing the network security more and more at the hotels/motels that I stay at when I travel. Many of them are very lax. Some using hubs instead of switches (all traffic seen by everyone). In one case the hotel was being remodelled and the network devices were racked up in a hallway visible from the front desk -- but not monitored twentyfour hours. Basically network security at hotels/motels is not a high priority -- and it might be easy for some one to add a promiscuous connection to the network and capture information.

    When my oldest daughter was off at a college within the central part of the US. Her BlackIce warning was going off steady.... so we finally added a firewall appliance between or PC and the dorm connection (against university rules). The problem is again -- they were not using intelligent switches but hubs and where switches were being used -- not very aggressive subnetting. And college kids does include a group of --- shall we say -- experimenters...

    She later spent a year at a university in Germany and saw the same thing... if fact it was so bad that one Christmas after she returned to the school after the break -- the university had basically shutdown everyones network connections until they first contacted a central test point that coulld verify that their PC clients had virus scanners, updated OS software and firewalls installed.

    Point being is that there is a lot of nasty stuff out there -- and most of us aware of the dangers and use routers, set them up wisely are okay... but for individuals that accept default settings and don't read the manuals or the setup tip sheets (elsewhere on this forum) can be in for a real surprise.

    I am glad to see the Linksys has added the ability to generate new certs in the RVxxx routers. That step should also be documented as one of the basic things that should be done -- along with changing the admin password for the router...
  13. mvalenci

    mvalenci LI Guru Member

    Update regarding the security breach

    I thought that I’d get back and post a late update on this issue.
    Though getting a promise from Linksys Cisco – the fix for WRV54G Firmware was never released until this day (I guess you'd say the product is unsupported...).
    Some Firmware releases for later products (though few) allow replacing the self signed certificate and sealing the breach.

    Now guess what...
    I have sniffed the TLS handshake protocol and saw that most if not all Linksys products work with TLS over RSA, skipping DH. I have few different devices to show the basic principle (flaw) being repeated again and again.
    This "Perfect Forward Secrecy" issue (a.k.a PFS) would allow session keys to be extracted assuming the RSA keys are known.
    Anyone just passively sniffing the wire or recording the session assuming that keys will be revealed someday can hack in.

    This principle also exposes a potential issue with remote browser access over TLS.

    Giving the fact that most Linksys products does not allow you to replace the Self Signed Certificate and that the Self Signed Certificate is virtually known to anyone who is willing to read the Flash I hope you start realizing we are dealing with a real big issue...

    I guess you already know who sells us these products and start believing there is a conspiracy... ;)
    Have a nice upcoming Christmas, don't buy another router :)
  14. DocLarge

    DocLarge Super Moderator Staff Member Member

    To anyone reading or posting to this thread formerly known as "makeitquick" (you can't fool those in the know), if quickpn were insecure to the point where the vulnerabilities were not considered "acceptable risks," the product would not continue to be sold...

    This arguement of quickvpn's ability to secure vpn traffic has been raised an buried "too many times" and this something that was answered a year ago. The supposed vulnerability spoken of is an "accepted risk" meaning that an individual would have to "stalk" someone's computer in order to get the required information to hack their username and password. Furthermore, quickvpn is no where in league of a clear-text username and passowrd combination like FTP, so, honestly, why do people keep assuming the quickvpn is insecure to the hilt?!?!?! :)

    Let it go, folks. There's more to lament over than an application that runs 128bit encryption that's still being utilized for vpn functionality the world over :)

    Just my thoughts, by the way...
  15. Toxic

    Toxic Administrator Staff Member

    if the individual is so worried about qvpn connections, how much does he consider in someone actaully breaking into his house and stealing his PC/Laptop. there is more chance of that tbh.
  16. mvalenci

    mvalenci LI Guru Member

    I should really do something else with my time/life :)
    I tend to see this as my word (whether my name is this or that) against other's respected people's words who are always tend to say last words (as if Linksys defending from bad PR).

    Spyware as well as other privacy violating software or tools don't "stalk" anyone; they just pick up any random information, aggregating it and eventually capture something.
    The data provided in my last post does show that this is possible.

    Frankly, I think we are living in a decade where networking firmware and features had to be in stage where:
    1. VPN should have been commoditized and given for free
    2. Security had to be bug-free and mature enough to aggregate community feedback

    I'm sorry that we are not there and I do hope that this forum gives (professional) people the voice rather than mocking them.

Share This Page