Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Serious Vulnerability Affects Over 120 D-Link Products

Software Component Reuse Brings Vulnerabilities To Entire Product Lines

Software Component Reuse Brings Vulnerabilities To Entire Product Lines

A vulnerability affecting D-Link Wi-Fi cameras, disclosed by researchers in June, has been found to affect more than 120 of the company’s products. Experts identified nearly half a million potentially vulnerable devices accessible over the Internet.

IoT security startup Senrio reported last month that it had identified a stack overflow in D-Link’s popular DCS-930L Wi-Fi cameras. Researchers said the vulnerability can be exploited by a remote attacker for arbitrary code execution, including to overwrite the administrator password of the affected devices.

When it disclosed its existence, Senrio said D-Link had been working on addressing the flaw. The vendor has analyzed the vulnerability and determined that it actually affects more than 120 D-link cameras, access points, routers, modems, storage solutions and connected home products.

The flaw exists in a service responsible for processing remote commands and it can be exploited with a single specially crafted command. Stephen Ridley, researcher and founder of Senrio, told SecurityWeek that while their initial proof-of-concept (PoC) was designed to change the password of a vulnerable device, an attacker could do virtually anything with this flaw, including snoop on network traffic and install backdoors.

According to the expert, the vulnerable code is present in many D-Link products, but each device requires a different exploit.

“The locations of values in memory are different between firmware versions and devices, which affects how a successful exploit for the bug is written,” said Ridley. “An attacker would practically account for this difference in versions/devices by ‘fingerprinting’ a device (e.g. query the device first) and then change the exploit payload based on the target.”

A search conducted with Shodan has shown that there are more than 400,000 potentially vulnerable devices accessible from the Internet, and most of them are located in North America, followed by Europe.

Vulnerable D-Link devices

“The D-Link vulnerability found by the Senrio Research team is extremely relevant given the recent news on how webcams were used for a DDoS attack. It is reasonable to expect more of these types of attacks as malicious actors realize how ubiquitous and vulnerable IoT devices are,” said John Matherly, CEO of Shodan.

D-Link plans to patch the vulnerability in each of its products soon – starting with DCS cameras, which account for a majority of affected devices. The company said it will address the issue by removing the command that can trigger the vulnerability.

This is not the first time concern over shared code in IoT devices has been raised. Earlier this year, it was discovered that surveillance cameras sold by more than 70 vendors worldwide were found to be vulnerable to a Remote Code Execution (RCE) vulnerability because of shared firmware code.

In November 2015, a study by IT security consultancy SEC Consult revealed that millions of IoT devices use the same cryptographic secrets, making them vulnerable to various types of malicious attacks. 

“The big takeaway from this is that a single software component gets reused throughout company product lines,” said Ridley. “This is the gospel we’ve been trying to preach especially to the industrial control folks who we see this pattern the most in. They reuse the same vulnerable bits of code from the lower cost stuff all the way through flagship products.”

Ridley will be presenting on additional research at SecurityWeek’s 2016 ICS Cyber Security conference, taking place in Atlanta Oct. 24 -27, 2016.

Related: “Libotr” Library Flaw Exposes Popular IM Apps

Related: Remote Code Execution Flaw Patched in glibc Library

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.