X
Business

Cisco confirms router 'pharming' exploits

A router hijack exploit scenario detailed by researchers at Symantec may affect Cisco routers that are marketed for the Small Office/Home Office (SOHO), Remote Office/Branch Office (ROBO) and teleworker business segments.
Written by Ryan Naraine, Contributor
The router hijack exploit scenario detailed by researchers at Symantec may affect Cisco routers that are marketed for the Small Office/Home Office (SOHO), Remote Office/Branch Office (ROBO) and teleworker business segments, according to a notice from Cisco's product security incident response team.

The background: Symantec's paper (PDF). Coverage by Joris Evers and Brian Krebs. Techmeme discussion.

The skinny: Because default router passwords are easy to guess and are easily found on search engines, attackers can hijack broadband routers by luring victims to a Web page rigged with malicious Javascript code. When the page is viewed, the code makes a login attempt into the user's home broadband router and attempts to change its DNS server settings. Once the machine receives the updated DNS settings from the router (after reboot) future DNS request are made to and resolved by the attacker’s DNS server.

The fix: For home users, log into your router's management console and change the password now. Here are online instructions from D-Link, Linksys and Netgear.

Now, Cisco is acknowledging that some enterprise-class products are also vulnerable, even if it's not a router vulnerability in the strictest sense.

At risk are those Cisco routers have the Cisco IOS HTTP server enabled by default, to allow CRWS or SDM to communicate with the router. With either CRWS or SDM installed at shipping, the router's configuration will have a default username and password that is used to access the router via the HTTP web interface.

A full list of the Cisco business routers that may be affected by the attack methodology is available in the company's official response.

Editorial standards