Update A software component that exposed D-Link Wi-Fi cameras to remote attacks is also used in more than 120 other products sold by the company.
Researchers at Senrio, who found the original vulnerability, disclosed today additional details of product vulnerabilities related to the component after collaborating with D-Link. Senrio said the flaw also puts D-Link Connected Home products at risk, including other cameras, routers, models and storage devices.
Patches are yet unavailable despite indications from D-Link to Senrio that they would be ready July 1. A request for comment from D-Link was not returned in time for publication. D-Link has amended that and promises a fix next week.
“D-Link is working to address the reported DCS-930L vulnerability. D-Link expects to release the updated DCS-930L firmware by Friday, July 15 at: http://support.dlink.com/,” a D-Link spokesperson told Threatpost. “Additional testing is underway to confirm impact on any other D-Link models. Once testing is completed, additional information will be made available to customers online at:http://support.dlink.com/. In addition, firmware updates will publish on the mydlink service for automatic upgrade, or via D-Link’s support website for manual download.”
Senrio CEO Stephen Ridley told Threatpost in June that it was likely the flaw extended beyond the D-Link DCS-930L Wi-Fi camera. Attackers on the same Wi-Fi network could exploit the stack overflow vulnerability and put home or business networks hosting the cameras at risk.
“The device itself is another network device,” Ridley told Threatpost. “There are a lot of edge use-cases we’re seeing. Because of the nature of these devices, two things are happening: People are putting them in places where they need to access them over the Internet. And they’re connecting them to the network accessing the feed from places they shouldn’t be relative to the security of the network such as the public Internet.”
A Shodan search for the single DCS-930L camera produces 55,000 publicly accessible devices; more than 400,000 D-Link devices may be exposed.
Senrio today disclosed three flaws, the most severe of which is the original which it describes as an unbounded/unchecked string copy in the dcp_class6_parser(). An attacker using this vulnerability could contact a device through the network and remotely execute code.
“An unbounded string copy to a statically sized stack variable in this function allows for code execution,” Senrio said in its report.
The company also disclosed two other flaws of lesser severity. The first is in the D-Link 930L circuit board (JP2) and requires physical access to exploit. Successful attacks would enable someone to gain console access to the device. Senrio said in its advisory that the JP2 has an unauthenticated “root” console waiting via UART, or the universal asynchronous receiver/transmitter.
“The pinouts can be trivially reverse engineered and the baud rates can be trivially reverse engineered,” Senrio said in its advisory. “With a UART interface, an attacker can them make use of this hardware interface to assist with vulnerability research.”
The remaining vulnerability disclosed today is in the Alphapd embedded webserver, and requires access to the UART or console to exploit, Senrio said.
“The Alphapd webserver allowed us to easily exfiltrate files using some simple directory traversal and file type confusion issues,” Senrio said.
It’s unknown what the timetable for a fix might be, but given the fact that 120 or more products may be involved, it will be a challenge.
“Manufacturers have become very efficient in designing hardware and software platforms that can be used across multiple product families,” Senrio said. “This saves costs (economies of scale) and development time (reducing time to market). However, this also means that a vulnerability can span across the entire product offerings, such as in the case of D-Link.”
This article was updated July 8 with comments from D-Link.