D-Link leaves severe security bugs in home router unpatched
D-Link has released a firmware update to fix three out of six security vulnerabilities reported for the DIR-865L wireless router model for consumers. One flaw is rated critical, others are high-severity.
Attackers can use the bugs to execute arbitrary commands, steal sensitive information, upload malware, or delete data.
EoL in the U.S., EoS in Europe
D-Link’s DIR-865L was released in 2012 and is no longer supported for U.S. consumers but its status on localized pages for European countries is End of Sale. This means that the product can no longer be purchased but it is still supported by the vendor.
Vulnerability researchers at Palo Alto Networks’ Unit 42 in late February found half a dozen security vulnerabilities in D-Link DIR-865L and reported them to the maker.
The researchers assess that the flaws may also affect newer models because they share a common code base. They found the following issues, with severity scores from the National Vulnerability Database (NVD):
- CVE-2020-13782: Improper Neutralization of Special Elements Used in a Command (Command Injection) – critical-severity score 9.8, not fixed
- CVE-2020-13786: Cross-Site Request Forgery (CSRF) – high-severity score 8.8, fixed
- CVE-2020-13785: Inadequate Encryption Strength – high-severity score 7.5, fixed
- CVE-2020-13784: Predictable seed in pseudo-random number generator – high-severity score 7.5 not fixed
- CVE-2020-13783: Cleartext storage of sensitive information – high-severity score 7.5, fixed
- CVE-2020-13787: Cleartext transmission of sensitive information – high-severity score 7.5, not fixed
It is worth noting that the command injection vulnerability received a critical severity score from NVD, while Unit 42 researchers note in their report that exploiting it requires authentication; while this can be achieved via the CSRF (cross-site request forgery) flaw, it would fit a lower severity rating.
Gregory Basior, one of the Unit 42 researchers that found and reported the vulnerabilities, says that combining some of these vulnerabilities could allow malicious actors to sniff network traffic and steal session cookies.
“With this information, they can access the administrative portal for file sharing, giving them the ability to upload arbitrary malicious files, download sensitive files, or delete essential files. They can also use the cookie to run arbitrary commands to conduct a denial of service attack” – Gregory Basior
D-Link reacted by releasing a beta firmware release that fixes only three of the flaws, which would enable an attacker outside the local network to cause damage: CSRF, weak encryption, and storing sensitive info in plain text.
BleepingComputer has reached out to D-Link asking for clarification on the partial fixes delivered in the router but has not received an answer at publishing time.
The company highlights that the product reached end-of-life for U.S. consumers in early 2016 and recommend them to replace it with a newer model that is still supported. Check the list of legacy D-Link products.
“For US consumers, D-Link recommends this product be retired, and any further use may be a risk to devices connected to it and end-users connected to it” – D-Link
Despite having an important role in connecting home devices, routers are rarely replaced when their support period expires. For many users, they are a “set it and forget it” type of hardware, that is replaced only when it becomes technologically obsolete or no longer functions properly.
Installing security router updates is not a priority for the regular end-user, especially in lack of an alert system for new firmware versions or an update procedure that would be easy to handle.