Home page logo
/

bugtraq logo Bugtraq mailing list archives

Linksys BEFVP41 VPN Server does not follow proper VPN standards
From: <pschlesinger () teltechplus com>
Date: 8 Mar 2002 00:41:16 -0000



Dear all,

A month ago, we discovered a bug in the VPN Server 
module of the Linksys EtherFast BEFVP41 
Cable/DSL VPN Router.  Here's the detailed email we 
sent to Linksys Tech Support:

**** Begin Email ****
Dear Support @ Linksys,

We recently heard about your BEFVP41 and thought 
we'd try it out as we
liked the BEFSR41.  Our corporate office uses a 
SonicWALL Pro 200 on a
T-1 line.

Anyway, I tried setting up a manual key entry on both 
the Pro 200 and
the BEFVP41, but the key lengths on the BEFVP41 
appear to be WAY off.
Just to give you an idea, the SonicWALL approved 
the following 3DES/MD5
keys:

Encryption: 
80C4DAFD9AFC3D7AB57079E19DEBFFF43538A62
039768D74
Authentication: 
32EA72F58D7F1E063E14A3FF78131172

But the BEFVP41 truncates the keys to:

Encryption: 80C4DAFD9AFC3D7AB57079E
Authentication: 32EA72F58D7F1E063E1

This happens even when I've selected 3DES 
encryption and MD5
authentication on the BEFVP41.  SonicWALL's 
manual for configuring the
VPN clearly states:

"The DES and ARCFour Keys must be exactly 16 
characters long and are
comprised of hexadecimal characters.  Triple DES 
Keys are 48 characters
long."..."The AH key must be exactly 32 characters 
long, if MD5 is used,
and is comprised of hexadecimal characters"

whereas your manual states on page 22, "up to 23 
alphanumeric characters
are allowed to create this key", yet as you'll see 
above, the
authentication string actually is restricted to 19 
characters.  What's
going on?  Do you expect people to convert between 
base 16 (hexadecimal)
and base 36 (alphanumeric)?
*** End Email ***

BTW, the end question re: base 36 (alphanumeric 
was because their GUI and manual didn't explain 
whether the information has to be entered in base 2, 
base 10, base 16, or base 36 - the VPN Server 
configuration screen seems to use both base 10 and 
base 36.  Documentation for the product is rather 
utilitarian...

Anyway, I received an email shortly thereafter stating 
that they were escalating the problem to level 2 
support.  On 2/11, I received the following message 
from a Senior Product Support Representative at 
Linksys (I've chosen to withhold his name to prevent 
Loshen Hora):

**** Begin Email ****
Dear Valued Linksys Customer:

Thank you for contacting Linksys Customer Support.

We will attempt to address this in the next firmware 
release.

If you have further questions, please contact us at 
(800) 326-7114 or
reply to this e-mail so that we may further assist you
**** End Email ***

My reply to the Senior Product Support 
Representative at Linksys:

**** Begin Email ****
You're kidding, right?  Are you telling me that Linksys 
didn't use the
proper IPSec keying methods in the design of the 
BEFVP41 when it says right
on the box "Full IPSec Virtual Private Network (VPN) 
Capability" and that it
is compatible with the SonicWALL Tele2 (which uses 
the same keying scheme)?
When is this firmware update coming?

PS - Out of curiosity, will I be receiving credit for 
finding this flaw? (Poster's note: okay, okay...so my 
interest in fame got the better of me...)

**** End Email ****

The reply from the Senior Product Support 
Representative at Linksys:

**** Begin Email ****
Thank you for contacting Linksys Customer Support. 

Well sir it does work when you use IKE, which is 
much more secure than
manual keying.  Unfortunately sir bugs do happen in a 
product that hasn't
been out on the market for more than a couple of 
months.  I apologize for
any inconvenience that this has caused you, but 
Linksys does not issue
credit.

If you have further questions, please contact us at 
(800) 326-7114 or 
reply to this e-mail so that we may further assist you 
**** End Email ****

That last email was sent to my on 2/12.  It's now 
about a month later and there has not been a new 
firmware update for the BEFVP41 yet on the web site.

Just a FYI for y'all.

- Phil


  By Date           By Thread  

Current thread:
  • Linksys BEFVP41 VPN Server does not follow proper VPN standards pschlesinger (Mar 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault