D-Link Preparing Firmware Updates to Fix Router Vulnerabilities

D-Link will release firmware updates in the upcoming days to address multiple router vulnerabilities uncovered over the past months by security researchers.

The flaws, discovered by Peter Adkins and Tiago Caetano Henriques, are related to the ncc/ncc2 service. Several D-Link routers models are said to be impacted, including DIR-820L, DIR-626L, DIR-636L, DIR-808L, DIR-810L, DIR-826L, DIR-830L and DIR-836L. TRENDnet TEW-731BR and possibly other TRENDnet models are also affected.

One of the vulnerabilities is related to fwupgrade.ccp, an ncc/ncc2 resource used when basic firmware and language file updates are performed through the router’s Web interface. During the update process, a POST request is sent to fwupgrade.cpp. The problem, according to Adkins, is that the resource doesn’t filter requests properly, allowing an unauthenticated attacker to upload arbitrary files to the vulnerable device’s file system.

For example, the flaw can be exploited by malicious actors to overwrite the resolv.conf file, which is used to configure the router’s Domain Name System (DNS) resolver, and hijack the victim’s DNS configuration.

A different security hole (CVE-2015-1187) is related to an ncc/ncc2 resource called ping.ccp, which is used for basic “ping” diagnostics. According to Henriques, the resource doesn’t correctly filter input, which allows an attacker to inject arbitrary commands.

“Secondly, authentication is not being performed correctly. This enables a remote attacker to gain full control of the router, for example to attack other networks in a DDoS style attack, or even expose computers behind these devices to the internet as you are able to change firewall/nat rules on this router,” Henriques said in an advisory.

Finally, Adkins discovered that several diagnostic hooks enabled by default on affected devices can be queried without authentication. One of the hooks can be abused for arbitrary command injection, while others can be leveraged to access credentials and configuration data, including the router’s default WPS PIN, GUI management credentials, PPPoE credentials, and email credentials.

The vulnerabilities can be exploited by a local attacker. Remote exploitation is also possible via cross-site request forgery (CSRF) attacks, or if the targeted device has the remote network management feature enabled. It’s worth noting that this feature is disabled by default.

Adkins disclosed the details of the security issues last week after D-Link failed to properly communicate a timeline for patches. The ping.ccp flaw, which is considered the most severe, was independently discovered by Henriques back in November. Henriques, who reported his findings to Swisscom CSIRT in mid-December, published his own advisory for the vulnerability after seeing Adkins’ report.

D-Link has already released firmware updates for DIR-820L routers. An advisory published by the company on Monday shows that firmware updates for the other affected products are under development and they should become available over the next week. TRENDnet fixed the vulnerabilities with the release of firmware version 2.02b01 on February 10.

Until firmware updates become available for all the impacted devices, D-Link advises users to take steps to protect themselves against potential attacks.

“The default configuration of D-Link’s routers is to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems reminds customers to configure their devices specifically to and for security concerns within their network infrastructure,” D-Link said. “In General, D-Link Systems recommends disabling services not being used, changing/securing device log-in credentials, enabling WiFi encryption, monitoring the routers log files, and access-lists for your devices so security risks for your entire network are minimized.”

This isn’t the first time Adkins finds vulnerabilities in routers. Back in February, the researcher reported identifying several flaws in Netgear wireless routers.