Facebook   Tumblr   LinkedIn

D-Link Home Router Flaw Won't Be Patched

Walden Systems Geeks Corner News D-Link Home Router Flaw Won't Be Patched Rutherford NJ New Jersey NYC New York City North Bergen County
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

D-Link won’t patch a critical, unauthenticated command injection vulnerability in its routers that allows hackers to remotely control the devices. The flaw exists in the newest firmware for the DIR-655, DIR-866L, DIR-652 and DHP-1565, which are routers for the home. D-Link stated that all four are end-of-life and are no longer sold or supported. The models are still available as new via third-party sellers.

The cause of the flaw is a lack of a sanity check for arbitrary commands that are executed by the native command-execution function. This is a typical security pitfall suffered by many firmware manufacturers according to Fortinet which first discovered the issue. The issue starts with the log-in function on the admin page for the router. The log-in function is performed using the URI /apply_sec.cgi function, it extracts the value of current_user and user_username from the NVRAM, which is a type of RAM that retains data after a device’s power is turned off. The function then compares the value of the current_user with the value of the variable acStack160. The current_user value in NVRAM will be set only after a successful user login, so by default its value is not initialized. The value of acStack160 is the result of base64encode user_usernam, and by default, the user_username is set to user, so there is no way the iVar2 can return a value of 0, so it won't return to the error.asp page. A hacker can perform any action in the SSC_SEC_OBJS array under the /apply_sec.cgi path.

Since there is no patch, affected routers should be replaced as soon as possible. In September, researchers discovered vulnerabilities in D-Link routers that can leak passwords for the devices, and which have the potential to affect every user on the network. In May, a researcher found attackers using the Google Cloud Platform to carry out three separate waves of DNS hijacking attacks against vulnerable D-Link and other consumer routers.