Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

D-Link Preparing Firmware Updates to Fix Router Vulnerabilities

D-Link will release firmware updates in the upcoming days to address multiple router vulnerabilities uncovered over the past months by security researchers.

D-Link will release firmware updates in the upcoming days to address multiple router vulnerabilities uncovered over the past months by security researchers.

The flaws, discovered by Peter Adkins and Tiago Caetano Henriques, are related to the ncc/ncc2 service. Several D-Link routers models are said to be impacted, including DIR-820L, DIR-626L, DIR-636L, DIR-808L, DIR-810L, DIR-826L, DIR-830L and DIR-836L. TRENDnet TEW-731BR and possibly other TRENDnet models are also affected.

One of the vulnerabilities is related to fwupgrade.ccp, an ncc/ncc2 resource used when basic firmware and language file updates are performed through the router’s Web interface. During the update process, a POST request is sent to fwupgrade.cpp. The problem, according to Adkins, is that the resource doesn’t filter requests properly, allowing an unauthenticated attacker to upload arbitrary files to the vulnerable device’s file system.

For example, the flaw can be exploited by malicious actors to overwrite the resolv.conf file, which is used to configure the router’s Domain Name System (DNS) resolver, and hijack the victim’s DNS configuration.

A different security hole (CVE-2015-1187) is related to an ncc/ncc2 resource called ping.ccp, which is used for basic “ping” diagnostics. According to Henriques, the resource doesn’t correctly filter input, which allows an attacker to inject arbitrary commands.

“Secondly, authentication is not being performed correctly. This enables a remote attacker to gain full control of the router, for example to attack other networks in a DDoS style attack, or even expose computers behind these devices to the internet as you are able to change firewall/nat rules on this router,” Henriques said in an advisory.

Finally, Adkins discovered that several diagnostic hooks enabled by default on affected devices can be queried without authentication. One of the hooks can be abused for arbitrary command injection, while others can be leveraged to access credentials and configuration data, including the router’s default WPS PIN, GUI management credentials, PPPoE credentials, and email credentials.

The vulnerabilities can be exploited by a local attacker. Remote exploitation is also possible via cross-site request forgery (CSRF) attacks, or if the targeted device has the remote network management feature enabled. It’s worth noting that this feature is disabled by default.

Advertisement. Scroll to continue reading.

Adkins disclosed the details of the security issues last week after D-Link failed to properly communicate a timeline for patches. The ping.ccp flaw, which is considered the most severe, was independently discovered by Henriques back in November. Henriques, who reported his findings to Swisscom CSIRT in mid-December, published his own advisory for the vulnerability after seeing Adkins’ report.

D-Link has already released firmware updates for DIR-820L routers. An advisory published by the company on Monday shows that firmware updates for the other affected products are under development and they should become available over the next week. TRENDnet fixed the vulnerabilities with the release of firmware version 2.02b01 on February 10.

Until firmware updates become available for all the impacted devices, D-Link advises users to take steps to protect themselves against potential attacks.

“The default configuration of D-Link’s routers is to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems reminds customers to configure their devices specifically to and for security concerns within their network infrastructure,” D-Link said. “In General, D-Link Systems recommends disabling services not being used, changing/securing device log-in credentials, enabling WiFi encryption, monitoring the routers log files, and access-lists for your devices so security risks for your entire network are minimized.”

This isn’t the first time Adkins finds vulnerabilities in routers. Back in February, the researcher reported identifying several flaws in Netgear wireless routers.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.