D-Link Routers – Risk of Remote Takeover from Zero-Day Flaws!

D-Link Routers – Risk of Remote Takeover from Zero-Day Flaws!

Critical vulnerabilities discovered by Digital Defence can allow attackers to gain root access & take over devices running same firmware.

Bug laden firmware opens a number of D-Link VPN router models to zero-day attacks. The flaws, which lack a complete vendor fix, let adversaries to launch root command injection attacks that can be executed remotely & allow for device takeover.

Bugs

Impacted are D-Link router models DSR-150, DSR-250, DSR-500 & DSR-1000AC VPN running firmware version 3.14 & 3.17, according to a report published Tues. by Digital Defence.  The attacks depend on 3 chained bugs identified by researchers as an unauthenticated remote LAN/WAN root command injection flaw, authenticated root command injection vulnerability & an authenticated crontab injection.

The flaws (CVE-2020-25757, CVE-2020-25759, CVE-2020-25758) were confirmed by D-Link. However, the company says beta firmware patches & hot-patch mitigations available for its DSR-150, DSR-250 & DSR-500 models significantly reduce the ability for an adversary to target a vulnerable router.

Patches

“The 2 vulnerabilities were confirmed, & patches are under development. One of the reported vulnerabilities is how the device functionally works, & D-Link will not correct it on this generation of products,” D-Link wrote in response to the research.

Some of the impacted router models were 1st introduced in 2012 & appear to lack the same type of patching cadence as more modern D-Link router models. E.g., D-Link’s DSR-150, was released over 7 years ago.

Absent from the D-Link support page is information or fixes for more recent router models DSR-500 & DSR-1000AC VPN. Both were identified by Digital Defence as vulnerable to remotely exploitable root command injection flaws.

Work-from-Home Reality

The routers are common home networking devices sold at numerous retail outlets, which means that people working remotely due to the COVID-19 pandemic likely are exposing not only their own environments but also corporate networks to risk, Digital Defence researchers noted.

The key vulnerability can be exploited over the internet without authentication using both WAN & LAN interfaces, giving a remote, unauthenticated attacker with access to the router’s web interface the ability to execute arbitrary commands as root, “effectively gaining complete control of the router,” according to the Digital Defence report.

“With this access, an attacker could intercept and/or modify traffic, cause denial of service conditions & launch further attacks on other assets,” researchers commented, adding that D-Link routers can connect up to 15 other devices at once.

Technical Insights

D-Link provided some technical detail about the bug in its report, noting that “the following Lua CGI actions, which are accessible without authentication, execute a Lua library function which passes user-supplied data to a call to os.popen() as part of a command intended to calculate a hash: /platform.cgi?action=duaAuth, /platform.cgi?action=duaLogout.”

Additional to the unauthenticated command injection vulnerability, Digital Defence also reported 2 others to D-Link that can be exploited by attackers to take control of the routers, the company stated.

Lua CGI

The 2nd flaw is similar to the 1st but requires an authenticated user with access to the “Unified Services Router” web interface to inject arbitrary commands, that will be executed with root privileges, says D-Link.

The Lua CGI, which handles requests from the ‘Package Management’ form in the ‘Unified Services Router’ web interface, has no server-side filtering for the multi-part POST parameters payload, which are passed to os. execute () functions intended to move the uploaded file to another directory,” according to D-Link.

Injection Vulnerability

The 3d issue is an authentication crontab injection vulnerability that allows authenticated users with access to the “Unified Services Router” web interface, either on LAN or WAN, to inject arbitrary CRON entries, according to D-Link.

These will be executed as root by modifying a downloaded router configuration file, updating the CRC, & reuploading the resulting crafted configuration file, the company observed.

The configuration file’s mechanism is authenticated upon upload is trivially bypassed by a malicious user creating a crafted configuration file that adds new entries to execute arbitrary commands as root,” according to D-Link.

Beta Patches & Partial Fixes

Final patches for the first 2 flaws are currently under development & will be released by mid-Dec., according to D-Link.

“D-Link has made a patch in the form of a hotfix for the affected firmware versions and models. Reference the information provided in D-Link’s support announcement. The official firmware release is anticipated in mid-Dec. Users are advised to verify their hardware model & firmware to identify vulnerable devices & apply provided hotfix & any other updates until the official firmware is available,” Digital Defence wrote.

Home Networks

Home networks & the devices that run them have risen among security concerns since March when COVID-19 pandemic restrictions 1st forced those who could to work from home, with many organisations largely unprepared.

As the pandemic continues, so also do those concerns with the safety of corporate networks when connected to home networks, which are inherently less secure, & pose a host of new threats.

A report released earlier this year found that most home routers contain a number of known vulnerabilities—sometimes 100s of them—that remained largely unpatched, meaning that many of those currently working from home are likely at risk.

https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/

 

SHARE ARTICLE