Cisco Lists 77 Routers at Risk of ‘Drive-by Pharming’

Cisco has sent out a warning that many of its Small Office/Home Office (SOHO), Remote Office/Branch Office (ROBO), and Teleworker business routers could be susceptible to "Drive-by Pharming", a new security threat that uses JavaScript.

The company posted a security response on its website on February 20, 2007, a list of 77 vulnerable routers sold to small offices, home offices, branch offices, and telecommuters.

The firm wrote that its response related to the information in Symantec paper, whose content had relevance to Cisco's non-consumer products. Since the paper does not discuss any flaws in Cisco products, the company has presented this response rather than a security advisory.

The objective of the response was to issue some specific information to its customers. The information contained ways to change any default settings that might be previously configured on an affected Cisco router, at the time of the configuration of the device before connecting it to a public network.

According to the recommendations of the response, users need to alter the default usernames or passwords before accessing the router's configuration set up and deactivate the HTTP server feature in the device.

To facilitate lessening of the risks in the type of attacks that Symantec paper presents, Cisco recommends removal of any default username and password combinations bundled with the device. If the Cisco router configuration does neither have SDM nor CRWS, and there's no need of the IOS HTTP server in a specific environment, it's wiser to disable it.

When a Symantec researcher and two others from Indiana University signed the paper they urged a similar action by router owners. Since owners of home routers set a relatively secured password that is neither a default one nor easy to guess, they are not susceptible to the JavaScript-based router manipulation.

The report suggested that router creators use the serial number of the device to get passwords. This number is unique to each router so it makes a more secure password.

While pharming cases have not yet surfaced, the practice could affect 50% of the users who have purchased routers but haven't modified the default password, Symantec wrote.

Related article: Cisco Finds Two Vulnerabilities and Recommends for Patches

» SPAMfighter News - 3/1/2007