Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

D-Link Failed to Patch HNAP Flaws in Routers: Researcher

D-Link has failed to properly fix vulnerabilities affecting several router models, according to a researcher. The networking equipment manufacturer says it’s currently working on addressing the issues.

D-Link has failed to properly fix vulnerabilities affecting several router models, according to a researcher. The networking equipment manufacturer says it’s currently working on addressing the issues.

The vulnerabilities, related to the Home Network Administration Protocol (HNAP), were reported earlier this year by Samuel Huntley and Zhang Wei of Qihoo360. The issues identified by Huntley were later independently discovered by Craig Heffner, a vulnerability researcher at Tactical Network Solutions.D-Link DIR890L

According to security advisories published by D-Link, the vulnerabilities found by the researchers affect router models such as DAP-1522, DIR-629, DIR-300, DIR-600, DIR-645, DIR-815, DIR-816L, DIR-850L, and even the new DIR-890L.

The vulnerabilities can be exploited by an unauthenticated attacker for command injection through HNAP requests. A malicious actor could leverage the flaws to gain access to information on hosts connected to the network, change system settings, and reset the device to its factory settings.

HNAP is a protocol used for identifying, configuring and managing network devices. In the case of D-Link devices, HNAP is used by setup utilities for the initial configuration of the router.

D-Link has released firmware updates for some of the affected devices, including DIR-890L. However, after analyzing the patches, Heffner has determined that the issues have not been addressed.

“This patch does nothing to prevent unauthenticated users from executing completely valid administrative HNAP actions, because all it does is ensure that the HNAP action is valid. That’s right, their patch doesn’t even address all the bugs listed in their own security advisory!” Heffner said in a blog post.

D-Link says it’s working on fixing the flaws reported by researchers.

“Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are currently working to provide firmware updates to address these issues,” D-Link told SecurityWeek via email.

Advertisement. Scroll to continue reading.

The company advises users to keep a close eye on the support news page for any updates.

Last month, researchers reported finding several vulnerabilities in D-Link routers, including DNS hijacking and command injection flaws. D-Link has released firmware updates to address those bugs.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.