Using a D-Link router? Watch out for hardcoded backdoors that give hackers admin access

Автор: | 25.05.2018

Security researchers at Kaspersky Lab have discovered four serious vulnerabilities in D-Link DIR-620 wireless routers that could give an attacker total control over the device from anywhere in the world, as noted in a recent security report.

The vulnerabilities in the DIR-620 all come from the device’s firmware, and Kaspersky Lab said that versions 1.0.37, 1.3.1, 1.3.3, 1.4.0, and 2.0.22 are all known to be vulnerable.

DIR-620 routers are primarily located in Russia and other members of the Commonwealth of Independent States because a large Russian ISP used them as its basic customer model, the report said. Despite that, D-Link router users may want to take the time to change default admin passwords, restrict firmware access to an IP whitelist, and take other security precautions.

The four flaws

The D-Link DIR-620 vulnerabilities discovered by Kaspersky Lab claim different Common Vulnerabilities and Exposures (CVE) ratings, ranging (on a scale of 10) from 6.1 to 10. All four are serious, but there are two in particular to beware of.

First is a reflected cross-site scripting (XSS) vulnerability in the firmware’s web portal. «A reflected XSS attack is possible as a result of missed filtration for special characters in [the Quick Search] field and incorrect processing of the XMLHttpRequest object,» Kaspersky Lab researchers said in the report.

The second vulnerability involves hard-coded, privileged credentials found by analyzing the firmware’s binaries. Kaspersky lab hasn’t released the username or password in question because it can’t be changed by a device administrator—it’s totally hardcoded, the report noted.

An attacker who used the account to gain access wouldn’t have administrator rights, but would be a «privileged user,» which Kaspersky Lab said could allow them to extract sensitive data.

The third vulnerability is where things start to get serious—it earned a 9.1 on the CVE scale. Kaspersky Lab only makes a quick mention of what this vulnerability is: «An OS command injection vulnerability is possible as a result of incorrect processing of the user’s input data in the following parameter: /index.cgi?<…>&res_buf.»

The fourth vulnerability is directly related to the third, and it’s this one that earned a 10/10 on the CVE severity scale, the report noted. By using the command injection above an attacker can extract Telnet credentials for the router, which are also hardcoded into the firmware.

Fixing your DIR-620

When Kaspersky Lab reached out to D-Link and the Russian ISP issuing a large amount of DIR-620s they were basically told there was nothing to be done. According to the report, D-Link reportedly told Kaspersky Lab that «the model of router was no longer supported by vendor, so [the] vendor will only patch vulnerabilities if the ISP sends a request to do so.»

If you have a D-Link DIR-620 that means you’re essentially left with a vulnerable device and no expectation for a coming fix. Kaspersky Lab does give some advice for securing a DIR-620, and it’s a few simply things that any wireless router user could benefit from, regardless of what kind of device they have:

  • Restrict web dashboard access to a list of preapproved IP address. Any attackers attempting to connect will simply fail.
  • Block all access to Telnet.
  • Regularly change admin usernames and passwords. If an attacker manages to break in they could steal non-hardcoded credentials as well.

SEE: Computer hardware depreciation calculator (Tech Pro Research)

DIR-620 routers are an older model, and not many are left in the wild. In fact, Bleeping Computer said that a Shodan scan for DIR-620s only turned back 100 online units. While this vulnerability may be small in scale, that doesn’t mean it’s restricted to only DIR-620s—other D-Link devices could be vulnerable as well. Take this opportunity to protect yourself.

The big takeaways for tech leaders:

  • Four vulnerabilities in D-Link DIR-620 routers can be used by an attacker to gain remote access. D-Link has no plans to address the issue.
  • DIR-620s are an older uncommon router, but the vulnerabilities found in them could also be present in other hardware. Take the time to secure your routers now to prevent a future incident.

Also see

180511-backdoors-on-d-link-3.png

Image: Kaspersky Lab

Source

Добавить комментарий