Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



D-Link Preparing Firmware Updates to Fix Router Vulnerabilities

D-Link will release firmware updates in the upcoming days to address multiple router vulnerabilities uncovered over the past months by security researchers.

D-Link will release firmware updates in the upcoming days to address multiple router vulnerabilities uncovered over the past months by security researchers.

The flaws, discovered by Peter Adkins and Tiago Caetano Henriques, are related to the ncc/ncc2 service. Several D-Link routers models are said to be impacted, including DIR-820L, DIR-626L, DIR-636L, DIR-808L, DIR-810L, DIR-826L, DIR-830L and DIR-836L. TRENDnet TEW-731BR and possibly other TRENDnet models are also affected.

One of the vulnerabilities is related to fwupgrade.ccp, an ncc/ncc2 resource used when basic firmware and language file updates are performed through the router’s Web interface. During the update process, a POST request is sent to fwupgrade.cpp. The problem, according to Adkins, is that the resource doesn’t filter requests properly, allowing an unauthenticated attacker to upload arbitrary files to the vulnerable device’s file system.

For example, the flaw can be exploited by malicious actors to overwrite the resolv.conf file, which is used to configure the router’s Domain Name System (DNS) resolver, and hijack the victim’s DNS configuration.

A different security hole (CVE-2015-1187) is related to an ncc/ncc2 resource called ping.ccp, which is used for basic “ping” diagnostics. According to Henriques, the resource doesn’t correctly filter input, which allows an attacker to inject arbitrary commands.

“Secondly, authentication is not being performed correctly. This enables a remote attacker to gain full control of the router, for example to attack other networks in a DDoS style attack, or even expose computers behind these devices to the internet as you are able to change firewall/nat rules on this router,” Henriques said in an advisory.

Finally, Adkins discovered that several diagnostic hooks enabled by default on affected devices can be queried without authentication. One of the hooks can be abused for arbitrary command injection, while others can be leveraged to access credentials and configuration data, including the router’s default WPS PIN, GUI management credentials, PPPoE credentials, and email credentials.

Advertisement. Scroll to continue reading.

The vulnerabilities can be exploited by a local attacker. Remote exploitation is also possible via cross-site request forgery (CSRF) attacks, or if the targeted device has the remote network management feature enabled. It’s worth noting that this feature is disabled by default.

Adkins disclosed the details of the security issues last week after D-Link failed to properly communicate a timeline for patches. The ping.ccp flaw, which is considered the most severe, was independently discovered by Henriques back in November. Henriques, who reported his findings to Swisscom CSIRT in mid-December, published his own advisory for the vulnerability after seeing Adkins’ report.

D-Link has already released firmware updates for DIR-820L routers. An advisory published by the company on Monday shows that firmware updates for the other affected products are under development and they should become available over the next week. TRENDnet fixed the vulnerabilities with the release of firmware version 2.02b01 on February 10.

Until firmware updates become available for all the impacted devices, D-Link advises users to take steps to protect themselves against potential attacks.

“The default configuration of D-Link’s routers is to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems reminds customers to configure their devices specifically to and for security concerns within their network infrastructure,” D-Link said. “In General, D-Link Systems recommends disabling services not being used, changing/securing device log-in credentials, enabling WiFi encryption, monitoring the routers log files, and access-lists for your devices so security risks for your entire network are minimized.”

This isn’t the first time Adkins finds vulnerabilities in routers. Back in February, the researcher reported identifying several flaws in Netgear wireless routers.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.