Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

D-Link Failed to Patch HNAP Flaws in Routers: Researcher

D-Link has failed to properly fix vulnerabilities affecting several router models, according to a researcher. The networking equipment manufacturer says it’s currently working on addressing the issues.

D-Link has failed to properly fix vulnerabilities affecting several router models, according to a researcher. The networking equipment manufacturer says it’s currently working on addressing the issues.

The vulnerabilities, related to the Home Network Administration Protocol (HNAP), were reported earlier this year by Samuel Huntley and Zhang Wei of Qihoo360. The issues identified by Huntley were later independently discovered by Craig Heffner, a vulnerability researcher at Tactical Network Solutions.D-Link DIR890L

According to security advisories published by D-Link, the vulnerabilities found by the researchers affect router models such as DAP-1522, DIR-629, DIR-300, DIR-600, DIR-645, DIR-815, DIR-816L, DIR-850L, and even the new DIR-890L.

The vulnerabilities can be exploited by an unauthenticated attacker for command injection through HNAP requests. A malicious actor could leverage the flaws to gain access to information on hosts connected to the network, change system settings, and reset the device to its factory settings.

HNAP is a protocol used for identifying, configuring and managing network devices. In the case of D-Link devices, HNAP is used by setup utilities for the initial configuration of the router.

D-Link has released firmware updates for some of the affected devices, including DIR-890L. However, after analyzing the patches, Heffner has determined that the issues have not been addressed.

“This patch does nothing to prevent unauthenticated users from executing completely valid administrative HNAP actions, because all it does is ensure that the HNAP action is valid. That’s right, their patch doesn’t even address all the bugs listed in their own security advisory!” Heffner said in a blog post.

D-Link says it’s working on fixing the flaws reported by researchers.

“Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are currently working to provide firmware updates to address these issues,” D-Link told SecurityWeek via email.

Advertisement. Scroll to continue reading.

The company advises users to keep a close eye on the support news page for any updates.

Last month, researchers reported finding several vulnerabilities in D-Link routers, including DNS hijacking and command injection flaws. D-Link has released firmware updates to address those bugs.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.