Researchers have discovered vulnerabilities in D-Link and Comba Telecom routers that can leak passwords for the devices and have the potential to affect every user on networks that use them for access.
Trustwave SpiderLabs Security Researcher Simon Kenin discovered the vulnerabilities—two in a D-Link DSL modem typically installed to connect a home network to an ISP, and three in multiple Comba Telecom WiFi devices–which Trustwave unveiled in a blog post Tuesday.
“All the vulnerabilities involve insecure storage of credentials, including three where cleartext credentials are available to any user with network access to the device,” according to the post.
Since a home user’s router is the gateway in and out of his or her entire network, Trustwave cautioned users to take the vulnerabilities very seriously.
“An attacker-controlled router can manipulate how your users resolve DNS hostnames to direct your users to malicious websites,” the company wrote in the post. “An attacker-controlled router can deny access in and out of the network perhaps blocking your users from accessing important resources or blocking customers from accessing your website.”
Trustwave researchers also have seen such vulnerabilities used by attackers to manipulate web traffic to embed their own content, the company said in the post. Researchers cited a scenario about a year ago when Kenin discovered that bad actors were using unpatched Mikrotik routers to embed cryptojacking scripts in all the traffic the passed through them.
Specifically, the two D-Link vulnerabilities affect the D-Link DSL-2875AL and the DSL-2875AL and also the DSL-2877AL, respectively. The first Coomba vulnerability discovered affects the AC2400 Wi-Fi Access Controller, and the other two affect the Comba AP2600-I WiFi Access Point (version A02,0202N00PD2), according to Trustwave.
Trustwave’s disclosure team said it made “multiple attempts” to notify both companies of the vulnerabilities after their discovery. Their response—or lack thereof–points to a persistent problem with device makers neglecting to take outside security recommendations seriously, the company said.
After initially calling D-Link’s response “confusing and unfortunately very typical for organizations that are not set up to accept security problems from third-party researchers,” Trustwave said the company eventually confirmed that it patched its affected devices. Those patches—as yet unverified by Trustwave–can be found online here and here.
“Users of these routers and access points will want to verify that they are on the most recent firmware and may want to use internal filtering controls or a separate filtering device like a firewall to limit access to the web-based management of these devices to only a small set of authorized IP addresses,” Trustwave advised in the post.
Comba, on the other hand, “was simply unresponsive” and it remains unknown whether the company is working on patches, according to Trustwave.