Buggy firmware opens a number of D-Link VPN router models to zero-day attacks. The flaws, which lack a complete vendor fix, allow adversaries to launch root command injection attacks that can be executed remotely and allow for device takeover.
Impacted are D-Link router models DSR-150, DSR-250, DSR-500 and DSR-1000AC VPN running firmware version 3.14 and 3.17, according to a report published Tuesday by Digital Defense. The attacks are dependent on three chained bugs identified by researchers as an unauthenticated remote LAN/WAN root command injection flaw, authenticated root command injection vulnerability and an authenticated crontab injection.
The flaws (CVE-2020-25757, CVE-2020-25759, CVE-2020-25758) were confirmed by D-Link. However, the company says beta firmware patches and hot-patch mitigations available for its DSR-150, DSR-250 and DSR-500 models significantly reduce the ability for an adversary to target a vulnerable router.
“The two vulnerabilities were confirmed, and patches are under development. One of the reported vulnerabilities is how the device functionally works, and D-Link will not correct it on this generation of products,” D-Link wrote in response to the research.
Some of the impacted router models were first introduced in 2012 and appear to lack the same type of patching cadence as more modern D-Link router models. For example, D-Link’s DSR-150, was released over seven-years ago.
Absent from the D-Link support page is information or fixes for more recent router models DSR-500 and DSR-1000AC VPN. Both were identified by Digital Defense as vulnerable to remotely exploitable root command injection flaws.
Work-from-Home Reality Increase Router Risks
The routers are common home networking devices sold at numerous retail outlets, which means that people working remotely due to the COVID-19 pandemic likely are exposing not only their own environments but also corporate networks to risk, Digital Defense researchers noted.
The key vulnerability can be exploited over the internet without authentication using both WAN and LAN interfaces, giving a a remote, unauthenticated attacker with access to the router’s web interface the ability to execute arbitrary commands as root, “effectively gaining complete control of the router,” according to the Digital Defense report.
“With this access, an attacker could intercept and/or modify traffic, cause denial of service conditions and launch further attacks on other assets,” researchers said, adding that D-Link routers can connect up to 15 other devices simultaneously.
D-Link Offers Technical Insights
D-Link provided some technical detail about the bug in its report, noting that “the following Lua CGI actions, which are accessible without authentication, execute a Lua library function which passes user-supplied data to a call to os.popen() as part of a command intended to calculate a hash: /platform.cgi?action=duaAuth, /platform.cgi?action=duaLogout.”
In addition to the unauthenticated command injection vulnerability, Digital Defense also reported two others to D-Link that can be exploited by attackers to take control of the routers, the company said.
The second flaw is similar to the firm but requires an authenticated user with access to the “Unified Services Router” web interface to inject arbitrary commands that will be executed with root privileges, according to D-Link.
“The Lua CGI, which handles requests from the ‘Package Management’ form in the ‘Unified Services Router’ web interface, has no server-side filtering for the multi-part POST parameters payload, which are passed to os. execute () functions intended to move the uploaded file to another directory,” according to D-Link.
The third issue is an authentication crontab injection vulnerability that allows authenticated users with access to the “Unified Services Router” web interface, either on LAN or WAN, to inject arbitrary CRON entries, according to D-Link. These will be executed as root by modifying a downloaded router configuration file, updating the CRC, and reuploading the resulting crafted configuration file, the company said.
“The configuration file’s mechanism is authenticated upon upload is trivially bypassed by a malicious user creating a crafted configuration file that adds new cron entries to execute arbitrary commands as root,” according to D-Link.
Beta Patches and Partial Fixes
Final patches for the first two flaws are currently under development and will be released by mid-December, according to D-Link.
“D-Link has made a patch in the form of a hotfix for the affected firmware versions and models. Reference the information provided in D-Link’s support announcement. The official firmware release is anticipated in mid-December. Users are advised to verify their hardware model and firmware to identify vulnerable devices and apply provided hotfix and any other updates until the official firmware is available,” Digital Defense wrote.
Home networks and the devices that run them have risen among security concerns since March when COVID-19 pandemic restrictions first forced those who could to work from home, a situation for which many organizations were largely unprepared. As the pandemic persists, so also do those concerns with the safety of corporate networks when connected to home networks, which are inherently less secure and present a host of new threats.
Indeed, a report released earlier this year found that most home routers contain a number of known vulnerabilities—sometimes hundreds of them—that remained largely unpatched, meaning that many of those currently working from home are likely at risk.
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.