Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

D-Link Patches Recently Disclosed Router Vulnerabilities

D-Link has released firmware updates for its DIR-850L router to address a majority of the vulnerabilities disclosed recently by a security researcher.

D-Link has released firmware updates for its DIR-850L router to address a majority of the vulnerabilities disclosed recently by a security researcher.

Earlier this month, researcher Pierre Kim disclosed the details of several flaws affecting D-Link DIR-850L routers and the company’s mydlink cloud services. The expert decided to make his findings public without giving D-Link time to release fixes due to the way the vendor had previously handled patching and coordination.

D-Link has now released updates for both revision A and B of the firmware for DIR-850L devices. The company has provided detailed instructions for updating the firmware, which it says is a two-step process.D-Link patches DIR-850L vulnerabilities

The vulnerabilities found by Kim include the lack of firmware protections, cross-site scripting (XSS), denial-of-service (DOS), and weaknesses that can be exploited to execute arbitrary commands.

The researcher also discovered that flaws in the mydlink cloud service, which allows users to access their D-Link devices from anywhere over the Internet, can be exploited by a remote and unauthenticated attacker to take complete control of a router.

Kim has analyzed the firmware updates and determined that a majority of the flaws he identified have been patched. The researcher said only a DoS issue does not appear to have been addressed properly, and he did not check some weak cloud protocol problems due to the process taking too much time.

A total of 18 CVE identifiers have been assigned by MITRE to the vulnerabilities in DIR-850L routers.

“I’m happily surprised by the results of dropping 0days without coordinated disclosure when it is about D-Link products,” Kim said. “Should this be the only method with D-Link to get working security patches in a timely manner? Hopefully one day a coordinated disclosure could work in the same way.”

Kim noted that he has identified another pre-authentication exploit that still works in revision B of the firmware.

Advertisement. Scroll to continue reading.

D-Link also announced this week that a federal judge has dismissed three of the six counts in a complaint filed in January by the U.S. Federal Trade Commission (FTC) against the company over its alleged failure to implement proper security measures and making deceptive claims about the security of its products.

Related: Vulnerabilities, Backdoors Found in D-Link Mobile Hotspot

Related: D-Link Failed to Patch HNAP Flaws in Routers

Related: D-Link Patches Critical Flaw in DIR Routers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...