Security Experts:

D-Link Failed to Patch HNAP Flaws in Routers: Researcher

D-Link has failed to properly fix vulnerabilities affecting several router models, according to a researcher. The networking equipment manufacturer says it’s currently working on addressing the issues.

The vulnerabilities, related to the Home Network Administration Protocol (HNAP), were reported earlier this year by Samuel Huntley and Zhang Wei of Qihoo360. The issues identified by Huntley were later independently discovered by Craig Heffner, a vulnerability researcher at Tactical Network Solutions.D-Link DIR890L

According to security advisories published by D-Link, the vulnerabilities found by the researchers affect router models such as DAP-1522, DIR-629, DIR-300, DIR-600, DIR-645, DIR-815, DIR-816L, DIR-850L, and even the new DIR-890L.

The vulnerabilities can be exploited by an unauthenticated attacker for command injection through HNAP requests. A malicious actor could leverage the flaws to gain access to information on hosts connected to the network, change system settings, and reset the device to its factory settings.

HNAP is a protocol used for identifying, configuring and managing network devices. In the case of D-Link devices, HNAP is used by setup utilities for the initial configuration of the router.

D-Link has released firmware updates for some of the affected devices, including DIR-890L. However, after analyzing the patches, Heffner has determined that the issues have not been addressed.

“This patch does nothing to prevent unauthenticated users from executing completely valid administrative HNAP actions, because all it does is ensure that the HNAP action is valid. That’s right, their patch doesn’t even address all the bugs listed in their own security advisory!” Heffner said in a blog post.

D-Link says it’s working on fixing the flaws reported by researchers.

“Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are currently working to provide firmware updates to address these issues,” D-Link told SecurityWeek via email.

The company advises users to keep a close eye on the support news page for any updates.

Last month, researchers reported finding several vulnerabilities in D-Link routers, including DNS hijacking and command injection flaws. D-Link has released firmware updates to address those bugs.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.