Los expertos de Loginsoft han informado sobre cinco vulnerabilidades graves encontradas en algunos modelos de enrutadores D-Link. Peor aún, El soporte para algunos dispositivos vulnerables ya ha sido descontinuado., lo que significa que no recibirán parches, mientras que los exploits PoC para problemas ya se han hecho públicos.
Entre los problemas descubiertos por los investigadores se encuentran: ataques XSS reflejados; a buffer overflow to find out the administrator’s credentials; bypass authentication; arbitrary code execution. Básicamente, anyone with access to the device’s admin page can perform the listed attacks without even knowing the credentials.
“Fortunately, en la mayoría de los casos, to gain access to the admin interface, an attacker must be on the same network as the router (por ejemplo, it could be a connection to a public access point or a single internal network)", – say Loginsoft experts.
The situation is seriously complicated by opportunity of remote connection to the router: then the attacker will only need to make a request for the router’s IP address, bypass authentication, and take control of the device and the network. According to the search engine Shodan, más que 55,000 D-Link devices currently can be remotely accessed.
D-Link specialists have already published a list of all devices vulnerable to five new problems. Some of these bugs were reported back in February 2020, while Loginsoft’s research, según la empresa, was conducted in March.
Al mismo tiempo, the company does not specify what will be DAP-1522 and DIR-816L devices, for which support and release of updates have already been discontinued. These routers running firmware 1.42 (y después) and 12.06.B09 (y después) remain vulnerable and there is no way to patch them.
Sin embargo, for another old model, DAP-1520, D-Link made an exception and released a beta version of the patch (1.10b04Beta02).
It all reminded about curious story about vulnerabilities in D-Link products, when for 8 years Cereals IoT botnet used one of the vulnerabilities in D-Link’s NAS and NVR to… download anime.
List of disclosed vulnerabilities:
- CVE-2020-15892: DAP 1520: Buffer overflow in the `ssi` binary, leading to arbitrary command execution.
- CVE-2020-15893: DIR-816L: Command injection vulnerability in the UPnP via a crafted M-SEARCH packet
- CVE-2020-15894: DIR-816L: Exposed administration function, allowing unauthorized access to the few sensitive information.
- CVE-2020-15895: DIR-816L: Reflected XSS vulnerability due to an unescaped value on the device configuration
- CVE-2020-15896: DAP-1522: Exposed administration function, allowing unauthorized access to the few sensitive information.