D-Link has pushed out a firmware update for three serious security vulnerabilities in its DIR-820L home routers, and is expected to do the same for seven other models between tomorrow and March 10.
The vulnerabilities provide an attacker with remote access to the router without the need for authentication, including one in particular where an attacker may remotely change DNS configurations on the router by abusing a cross-site request forgery vulnerability. Researchers Peter Adkins and Tiago Caetano Henriques discovered the bugs and reported them to D-Link.
The CSRF bug was original found on the D-Link DIR-636L model, but Caetano said in an advisory posted to the Full Disclosure mailing list that other versions were likely vulnerable. The problem, he said, is that the router incorrectly filters input on the ping tool (ping.ccp). An attacker could take advantage of that flaw to inject commands remotely and take over the router. From there, an attacker could use that access to carry out a DDoS attack, for example, or change network settings exposing other machines.
“Due to the nature of the ping.ccp vulnerability, an attacker can gain root access, hijack DNS settings or execute arbitrary commands on these devices with the user simply visiting a webpage with a malicious HTTP form embedded via CSRF,” the researchers wrote in a separate advisory.
D-Link said a firmware update for the DIR-636L model running v1.04b04_beta and earlier, is under development and expected to be released March 6. Other affected models are:
- DIR-626L (firmware update expected March 10)
- DIR-808L (firmware update expected Friday)
- DIR-810L (firmware update expected tomorrow)
- DIR-826L (firmware update expected March 9)
- DIR-830L (firmware update expected Friday)
- DIR-836L (firmware update expected March 10)
In addition to the ping vulnerability, D-Link said one of the other bugs can be exploited with access to the local area network, and allow an attacker to use the router’s upload utility to load malicious code onto the device. The remaining vulnerability, D-Link said, allows an attacker to exploit particular chipset utilities in the router firmware that would expose configuration information.
The highest priority vulnerability, however, is the issue with the ping tool, Adkins and Caetano said.
“Simply put, it does not matter whether ‘WAN management’ is enabled on the device or not; visiting a webpage with a malicious javascript payload embedded is enough for an attacker to gain full access to the device,” Adkins said.
D-Link is expected to have firmware updates for eight of its home router models by March 10. via @Threatpost
Tweet
Technical details on the ping vulnerability are provided in theĀ advisory.
In the meantime, D-Link recommends a number of mitigations until all the updated firmware is ready, starting with the disabling of remote admin access if it is not already shut off. Users should also change default passwords and enable Wi-Fi encryption keys, D-Link said.
“If remote network management is disabled, a malicious user would require to be on the local network side of the router or have compromised another device on the network that could be used to attack the router,” D-Link said in its advisory.