WRT1900AC FTP Security Issue

[chadster766]

When the FTP Server is turned on all files will be accessible from the internet without a login.

Linksys engineering has a open Bug Case for this and is working on the solution.

 

[stevech]

When the FTP Server is turned on all files will be accessible from the internet without a login.

Linksys engineering has a open Bug Case for this and is working on the solution.

Accessible on the FTP port number?
or do you mean they allow anonymous FTP login with any old password and that login has access to all directories? Or something else?

 

[chadster766]

Accessible on the FTP port number? Port 21 on WAN and LAN
or do you mean they allow anonymous FTP login with any old password and that login has access to all directories? Yes anonymous login and all directories Or something else? No

Comments Above:

 

[stevech]

Yes anonymous login and all directories

Most of the open source editions of FTP servers are published with anonymous FTP logins allowed. But only to that user directory!

It's more than prudent to change and ship to consumers with FTP disabled alltogether, and anonymous logins disabled.

And before baselining a release, run a common security risk analyzer against the product and review the findings on open ports, protocols, etc.

 

[htismaqe]

FTP is disabled by default.

 

[chadster766]

Linksys engineering requested that I post the below workaround.





Simply change the port that the router listens to for FTP access from 21 to something other than 21 or 22. I changed it to 20 and it would not allow logons through a web browser without the URL being formatted as ftp://user:password@ip.address.of.router and would not allow an FTP client to access without first entering a username and password. I tried other numbers as well and found that only 21 and 22 are allowing this to happen.

 

[stevech]

Linksys engineering requested that I post the below workaround.



Simply change the port that the router listens to for FTP access from 21 to something other than 21 or 22. .

That sounds like Linksys level 1 tech support rather than engineering. Of course, all that does is require
ftp://domain:nn where nn is what you changed. This is like putting honey on dog poo.

 

[sfx2000]

Hmmm... this says that the WRT1900ac has been kicked over to Sustaining Engineering - and so, no further development except perhaps for bug fixes and security patches, and it will be a long time between releases...

IN the interim - use the WRT1900ac as a router - it's fast, it's stable there. Stay out of the WebGUI, and it's a good, fast router...

Attaching a USB drive - well, there's a lot of issues here with daemon's, file permissions, etc...

Repeat after me - a Router is Not A NAS...

sfx

 

[stevech]

Repeat after me - a Router is Not A NAS...
sfx

OK...

a Router is Not A NAS

on many planes

 

[chadster766]

Linksys engineering requested that I post the below workaround.





Simply change the port that the router listens to for FTP access from 21 to something other than 21 or 22. I changed it to 20 and it would not allow logons through a web browser without the URL being formatted as ftp://user:password@ip.address.of.router and would not allow an FTP client to access without first entering a username and password. I tried other numbers as well and found that only 21 and 22 are allowing this to happen.

This workaround doesn't work. Anonymous access is still available

 

[chadster766]

Linksys engineers did more testing and pinpointed why this is occurring:

When turning on FTP it tells you that Secure Folder Access will be enabled. It shows as enabled in the Folder Access tab. When you try anonymous FTP access though it works. Secure Folder Access is not being turned on automatically.

Fix:

Go back to the Folder Access tab. Turn Off Secure Folder Access and click Apply. Turn back on Secure Folder Access and click Apply. Try an anonymous FTP access.

 

[stevech]

fix:
Go back to the Folder Access tab. Turn Off Secure Folder Access and click Apply. Turn back on Secure Folder Access and click Apply. Try an anonymous FTP access.

well tested, pre-ship, eh?

 

[chadster766]

This issue is fixed in the new Firmware 1.1.8.161917