D-Link routers did not receive fixes for critical bugs

In February of this year, Palo Alto Networks experts identified a number of serious vulnerabilities in the D-Link DIR-865L routers, and immediately informed the manufacturer about it. However, so far these D-Link routers did not receive all fixes.

Unfortunately, this router model, released back in 2012, is no longer supported in the United States, although for European users the status of this product is designated as “End of Sale”. This means that the model has already been discontinued, but must still be supported by the manufacturer.

Alas, as it became known now, due to the “senior age” of this model, routers still did not receive corrections for all detected vulnerabilities. Therefore, the researchers found the following bugs in the D-Link DIR-865L:

• CVE-2020-13782: team injection, critical vulnerability (9.8 points on the CVSS scale); not fixed;
• CVE-2020-13786: CSRF vulnerability, high severity (8.8 points on the CVSS scale); fixed;
• CVE-2020-13785: incorrect cryptographic strength, high level of severity (7.5 points on the CVSS scale); fixed;
• CVE-2020-13784: predictable seed in a pseudo random number generator, high severity level (7.5 points on the CVSS scale); not fixed;
• CVE-2020-13783: storage of confidential information in clear text, high severity level (7.5 points on the CVSS scale); fixed;
• CVE-2020-13787: transmission of confidential information in clear text, high level of severity (7.5 points on the CVSS scale); not fixed.

It is worth noting that although the vulnerability CVE-2020-13782 has received critical status, researchers write in their report that its use still requires authentication. Although this can be achieved using the aforementioned CSRF bug, it still reduces the level of danger of the problem.

However, experts say that combining some of these vulnerabilities could allow attackers to intercept the victim’s network traffic and steal session cookies, which, of course, is very dangerous.

D-Link specialists responded to the experts’ message with the beta version of the firmware, however, as can be concluded from the above list, only three of the six vulnerabilities were fixed in it: CSRF, weak encryption and storage of confidential information in clear text.

Moreover, D-Link representatives generally recommend that users from the United States abandon the use of problematic routers, as this can be dangerous for devices and connected to them users.

By the way, we wrote that the developers of D-Link and Linksys routers reset Smart Wi-Fi passwords due to DNS spoofing attacks.

Bleeping Computer requested comments from company representatives, wanting to know the fate of the three remaining vulnerabilities, but the manufacturer did not respond.

“Most users rarely change their routers and do not monitor the expiration of their support period. This type of equipment is more likely to belong to the “install and forget” category, and routers are changed only when they cease to function”, – write Bleeping Computer journalists.

Because of this, it is unlikely that many D-Link DIR-865L owners will ever read the manufacturer’s warning or install patches for at least three of the six vulnerabilities.

By the way, do not relax and read how attackers can spy on you through certain models of D-Link cameras.