Security Advisory : Javascript Insertion Exploit

Security Advisory : Vigor 2700 / 2100 .js Insertion Exploit

This note relates to a possible Javascript exploit; it has been registered as CVE-2013-5703 or VU#101462.

About the Vigor 2700

This advisory applies only to the Vigor 2100G, V2100VG, 2700G and Vigor 2700VG. These models were sold between approximately 2005-2009. The Vigor 2700 series was an ADSL router, supporting only the original ADSL services, not the current ADSL2 or ADSL2+ services or the later wireless standards so it's unlikely that many of these units remain in use so many years later. All of these models also only used the older 802.11b or 802.11g wireless standards. The models are easily recognised by their distinctive metallic blue or golden cases with a wavy top.

MSIE 7 and Javascript Extensions

With the release of Internet Explorer 7, new Javascript methods were introduced and most other mainstream browsers supported these methods soon after (or prior). In 2007, IE7 became the dominant browser for PC/Windows users and over the following years, new exploits were developed/proposed. In October 2013, a researcher proposed a potential exploit whereby a miscreant within wireless range of your router could broadcast a rogue SSID containing malicious Javascript which would be picked up by the router's web interface (in the 'AP scan' facility if you used it) and then be parsed and/or displayed by your router web interface (if you viewed it). It would only work at the actual time when you use the scan facility within the router and then view the resulting list in the WUI so is not a continuous opportunity (and people rarely use the facility). As the SSID is limited to 32 characters, the scope for mischief may be limited but the proof of concept or theory is considered sufficiently viable.

Recommended Action

If you are still using a Vigor 2700G or 2700VG you should download and install firmware version 2.8.4 or later. For the Vigor 2100G or Vigor 2100VG, it's firmware version 2.6.2.1.

Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.