Loginsoft experts have reported about five serious vulnerabilities found in some models of D-Link routers. Even worse, support for some vulnerable devices has already been discontinued, which means they will not receive patches, while PoC exploits for problems have already been made public.Among discovered by researchers problems were: reflected XSS attacks; a buffer overflow to find out the administrator’s credentials; bypass authentication; arbitrary code execution. Basically, anyone with access to the device’s admin page can perform the listed attacks without even knowing the credentials.
“Fortunately, in most cases, to gain access to the admin interface, an attacker must be on the same network as the router (for example, it could be a connection to a public access point or a single internal network)”, – say Loginsoft experts.
The situation is seriously complicated by opportunity of remote connection to the router: then the attacker will only need to make a request for the router’s IP address, bypass authentication, and take control of the device and the network. According to the search engine Shodan, more than 55,000 D-Link devices currently can be remotely accessed.
D-Link specialists have already published a list of all devices vulnerable to five new problems. Some of these bugs were reported back in February 2020, while Loginsoft’s research, according to the company, was conducted in March.
At the same time, the company does not specify what will be DAP-1522 and DIR-816L devices, for which support and release of updates have already been discontinued. These routers running firmware 1.42 (and later) and 12.06.B09 (and later) remain vulnerable and there is no way to patch them.
However, for another old model, DAP-1520, D-Link made an exception and released a beta version of the patch (1.10b04Beta02).
It all reminded about curious story about vulnerabilities in D-Link products, when for 8 years Cereals IoT botnet used one of the vulnerabilities in D-Link’s NAS and NVR to… download anime.
List of disclosed vulnerabilities:
- CVE-2020-15892: DAP 1520: Buffer overflow in the `ssi` binary, leading to arbitrary command execution.
- CVE-2020-15893: DIR-816L: Command injection vulnerability in the UPnP via a crafted M-SEARCH packet
- CVE-2020-15894: DIR-816L: Exposed administration function, allowing unauthorized access to the few sensitive information.
- CVE-2020-15895: DIR-816L: Reflected XSS vulnerability due to an unescaped value on the device configuration
- CVE-2020-15896: DAP-1522: Exposed administration function, allowing unauthorized access to the few sensitive information.