Router company D-Link has patched two separate vulnerabilities in its firmware that could be exploited remotely and lead to takeover and arbitrary code execution.
Devices under the DCS-93xl umbrella, including the following IP cameras with a custom Linux distribution models: DCS-930L, DCS-931L, DCS-932L, and DCS-933L, contain a hole that enabled remote authenticated attackers to upload their own files – in the location of their choosing – to the device. This could allow an attacker to create, modify or delete information. In addition the vulnerability could lead to arbitrary code execution.
The flaw lies in a vulnerable version of the router’s firmware, version 1.04, but an advisory on CERT’s Vulnerability Notes database published today stresses that versions before 2.0.17-b62, the most recent, patched build, could also be at risk.
The second issue D-Link patched was also a firmware vulnerability, present in its DAP-1320 Rev Ax firmware, version 1.11. CERT claims that a command injection vulnerability in the firmware’s update mechanism could have been hijacked. From there, a remote unauthenticated attacker could have easily executed commands on the device and had free reign of the mechanism.
Users whose routers run either of the affected firmware are encouraged to update to the most recent versions, 2.0.17-b62 and 1.21b05, respectively.
Researchers with Tangible Security, a security firm headquartered in Maryland that’s previously worked with the Department of Homeland Security, the F.B.I. and other agencies, discovered the vulnerabilities and disclosed them to D-Link.
The router company recently fixed three critical security vulnerabilities in a multitude of its home routers that could have led to remote code execution, information disclosure and DNS hijacking. Model numbers DIR-626L, 808L, 820L, 826L, 830L, and 836L were all updated to reflect the fixes over the past two weeks or so.
This post was updated on 3/17 to reflect that the DCS-93xl family of devices are IP cameras, not routers.