Some days ago it became public knowledge that some routers, that’s devices used for establishing Internet connections among other things, are listening on the undocumented port 32764.
First, it was only discovered in one device, the Linksys WAG200G, but it was soon discovered that many routers were also listening on that port. Among the devices are the Cisco WAP4410N-E, the Netgear DGN2000, the OpenWAG200, or the LevelOne WBR3460B.
The list on the Github website is large, and it is likely that here are other routers affected not listed there yet. It seems to be predominantly Cisco, Linksys and Netgear which listen on the port, even though not all routers by the mentioned companies are affected by it. The Linksys WRT160Nv2 for example is not listening.
It is currently not known why the routers are listening on that port. Many have suggested that this is yet another way for the NSA to spy on people around the world, and while that is a possibility, it is not the only one.
Find out if your router is listening on port 32764
If your router is not on the positive or negative list, you may want to find out if it is listening on port 32764, and if it is, stop the process to protect your systems.
There are several options to find that out. Here are several ones:
- Load http://yourRouterIP:32764/ in your web browser of choice. If affected, you should see ScMM or MMcS on the screen. I cannot confirm that this works for all set ups though. You can check your IP address here.
- Run the Python script poc.py on your system. You do need Python installed on it for that to work though. Run the script in the following way: python poc.py –ip yourRouterIP. For instance python poc.py –ip 192.168.1.1
- If telnet is running, you can also use the command telnet yourRouterIP 32764 to find out if the router is vulnerable. You see ScMM or MMcS in that case on the command prompt.
- Alternatively, try running router backdoor scanner, a script that attempts to establish a connection on the port.
Fixes if your router is leaking information
If your router is listening on port 32764, you may want to block this from happening. You have quite a few possibilities to cope with the situation and secure your system.
- Add a rule to the router’s firewall to block the port 32764. How that is done depends on the model you are using. Usually, it involves loading the router’s web interface on its local address, e.g. http://192.168.1.1/, typing in the password (on the back of the router usually if default), and finding the firewall or network options there.
- Install an Open Source firmware like Tomato or OpenWRT. Note that some have been reported to be vulnerable as well, so make sure you test again after you install.
- Get a router that is not affected by the vulnerability.
Once you have made changes, it is highly recommended to test for the vulnerability again to make sure that you have successfully blocked the port on your system.