Software Component Reuse Brings Vulnerabilities To Entire Product Lines
A vulnerability affecting D-Link Wi-Fi cameras, disclosed by researchers in June, has been found to affect more than 120 of the company’s products. Experts identified nearly half a million potentially vulnerable devices accessible over the Internet.
IoT security startup Senrio reported last month that it had identified a stack overflow in D-Link’s popular DCS-930L Wi-Fi cameras. Researchers said the vulnerability can be exploited by a remote attacker for arbitrary code execution, including to overwrite the administrator password of the affected devices.
When it disclosed its existence, Senrio said D-Link had been working on addressing the flaw. The vendor has analyzed the vulnerability and determined that it actually affects more than 120 D-link cameras, access points, routers, modems, storage solutions and connected home products.
The flaw exists in a service responsible for processing remote commands and it can be exploited with a single specially crafted command. Stephen Ridley, researcher and founder of Senrio, told SecurityWeek that while their initial proof-of-concept (PoC) was designed to change the password of a vulnerable device, an attacker could do virtually anything with this flaw, including snoop on network traffic and install backdoors.
According to the expert, the vulnerable code is present in many D-Link products, but each device requires a different exploit.
“The locations of values in memory are different between firmware versions and devices, which affects how a successful exploit for the bug is written,” said Ridley. “An attacker would practically account for this difference in versions/devices by ‘fingerprinting’ a device (e.g. query the device first) and then change the exploit payload based on the target.”
A search conducted with Shodan has shown that there are more than 400,000 potentially vulnerable devices accessible from the Internet, and most of them are located in North America, followed by Europe.
“The D-Link vulnerability found by the Senrio Research team is extremely relevant given the recent news on how webcams were used for a DDoS attack. It is reasonable to expect more of these types of attacks as malicious actors realize how ubiquitous and vulnerable IoT devices are,” said John Matherly, CEO of Shodan.
D-Link plans to patch the vulnerability in each of its products soon – starting with DCS cameras, which account for a majority of affected devices. The company said it will address the issue by removing the command that can trigger the vulnerability.
This is not the first time concern over shared code in IoT devices has been raised. Earlier this year, it was discovered that surveillance cameras sold by more than 70 vendors worldwide were found to be vulnerable to a Remote Code Execution (RCE) vulnerability because of shared firmware code.
“The big takeaway from this is that a single software component gets reused throughout company product lines,” said Ridley. “This is the gospel we’ve been trying to preach especially to the industrial control folks who we see this pattern the most in. They reuse the same vulnerable bits of code from the lower cost stuff all the way through flagship products.”
Ridley will be presenting on additional research at SecurityWeek’s 2016 ICS Cyber Security conference, taking place in Atlanta Oct. 24 -27, 2016.
Related: “Libotr” Library Flaw Exposes Popular IM Apps
Related: Remote Code Execution Flaw Patched in glibc Library

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
