The Vulnerability Research Team (VRT) at the threat management firm, Digital Defense, have discovered a zero-day flaw affecting D-Link routers, which are commonly used in people’s homes. Certain D-Link router models are vulnerable to a remotely exploitable zero-day command injection flaw. This flaw allows attackers to gain root access to the router.
D-Link Router Models Affected
The VRT at Digital Defense discovered the vulnerability affecting certain D-Link routers and D-Link VPN routers. These routers are commonly used in the home and are easily available from Amazon, Best Buy, Office Depot and Walmart.
The D-Link router models affected are D-Link DSR-150, DSR-250, DSR-500. Also affected are D-Link VPN routers running firmware version 3.14 and 3.17. All these routers are vulnerable to the zero-day remotely exploitable command injection flaw. The flaw (CVE-2020-25757, CVE-2020-25759, CVE-2020-25758) has been confirmed by D-Link.
Digital Defense informed D-Link of the vulnerability in August before disclosing the zero-day flaw to the public via a press release earlier in the week. With regards to their disclosure, Digital Defense said “Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. The Digital Defense VRT reached out to D-Link who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.”
Consequences of the Command Injection Flaw
The command injection flaw leaves affected D-Link routers accessible, without authentication, from both their WAN and LAN interfaces. Furthermore, the flaw can be exploited remotely over the internet providing attackers root access to the router.
Once attackers have access to a router, they could execute arbitrary commands to gain total control of the router. Digital Defense explains that “With this access, an attacker could intercept and/or modify traffic, cause denial of service conditions and launch further attacks on other assets. D-Link routers can connect up to 15 other devices simultaneously.”
This flaw is currently extra dangerous thanks to the pandemic forcing many people to work from home. These people could be connecting to corporate networks using affected D-Link router models, thus also putting organizations at risk.
The command injection vulnerability has since been patched, with updated firmware for the affected D-Link router models having been released. Although these are beta firmware patches, they nonetheless reduce the ability of hackers to target vulnerable routers. Therefore, D-Link recommends that users download and install the updated firmware asap.
As well as the command injection vulnerability, a further vulnerability was identified by Digital Defense relating to how the devices functionally work. With regards to this latter Authenticated Crontab Injection vulnerability, D-Link has stated that it would “not correct it on this generation of products.”