In the summer of this year, Digital Defense specialists discovered quite serious bugs in a number of D-Link router models. They were vulnerable to command injections, including remote ones.
Initially, problems were found in DSR-250 routers with firmware version 3.17, but then it turned out that vulnerabilities also affect other manufacturer’s devices, namely D-Link DSR-150, DSR-250, DSR-500 and DSR-1000AC VPN routers with firmware versions 3.17 and earlier.“The most serious of these bugs potentially allowed an unauthenticated attacker to access the Unified Services Router’s web interface (over a LAN or WAN) to inject arbitrary commands to be executed with root privileges”, – told Digital Defence researchers.
To exploit problems, an attacker only needs to send a specially crafted request to the device, which will lead to gaining full control over the device.
In essence, with these bugs, hackers could use the gained access to intercept traffic, modify it, or attack other connected devices.
In the beginning, the D-Link developers were reluctant to admit some of the discovered problems, citing the fact that the discovered problems are minimal and their use in the real world is rather difficult.
However, we have already talked about this behaviour of this company. In February 2020, Palo Alto Networks experts identified a number of serious vulnerabilities in the D-Link DIR-865L routers, and immediately informed the manufacturer about it. However, so far these D-Link routers did not receive all fixes.
Additionally, D-Link specialists figured out the scale of the threats detected by Digital Defence, recognized the vulnerabilities and published some details, saying that the root of the most dangerous problems was that some LUA CGIs are available without authentication.
Currently, patches have already been released for all affected router models: the latest firmware that fixes the issue is 3.17B401C.
“Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates”, — according the D-Link developers.
At the same time, users should not wait for patches for smaller vulnerability, since in order to exploit it, the attacker first needs to gain access to the device and load the configuration file, while the developers refused to recognize this as any serious problem.
Let me remind you that attackers can spy on you through certain models of D-Link cameras.
User Review
( votes)
