Multiple D-Link routers found vulnerable to attack

Multiple wireless routers manufactured by networking hardware supplier D-Link have been found at risk of being attacked via a remotely exploitable root command injection flaw, according to vulnerability management and threat assessment specialist Digital Defense.

Digital Defense’s vulnerability research team (VRT) found the previously undisclosed bug in four D-Link products, the DSR-150, DSR-250, DSR-500 and DSR-1000AC VPN routers running firmware versions 3.14 and 3.17.

Although pitched at small and medium-sized enterprises (SMEs) first and foremost, the affected devices are commonly sold on consumer websites and e-commerce sites. Given the rise in remote working during the pandemic, it is possible that many people are connecting into a corporate network using one of the affected devices, said Digital Defense.

The vulnerable component in the devices can be accessed without authentication and is exploitable over the internet from both WAN and LAN interfaces. As such, the researchers said, a remote, unauthenticated attacker who had access to the router’s web interface could execute arbitrary commands as root, giving them control of the router.

This step achieved, an attacker could then intercept or modify network traffic, cause denial-of-service conditions, and launch attacks on other assets – some of the affected devices are capable of connecting up to 15 devices at once.

Mike Cotton, senior vice-president of engineering at Digital Defense, said: “Our standard practice is to work in tandem with organisations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability.

“The Digital Defense VRT reached out to D-Link, which worked diligently on a patch. We will continue outreach to customers to ensure they are aware and able to take action to mitigate any potential risk introduced by the vulnerability,” he added.

D-Link said it had acknowledged the reports, which were first made to it in August 2020, and that patches for them will be available in mid-December.

The firm declined to recognise another vulnerability, reported at the same time, because a theoretical attacker would need to engineer a way of gaining access to the device to upload a malicious configuration file, making it a low threat once the patched firmware becomes available.