The list of routers that have critical RCE bugs, that have reached end of life and that won’t get fixed has grown.
D-Link has warned that more of its routers are vulnerable to critical flaws that allow remote hackers to take control of hardware and steal data. The routers won’t be fixed, said D-Link, explaining that the hardware has reached its end-of-life and will no longer receive security updates.
The vulnerability is identified as a remote code-execution (RCE) flaw — a “bad authentication check” — impacting 13 model D-Link routers, according to a support announcement released Tuesday. The flaw stems from each of the router’s use of a web-configuration tool that allows an unauthenticated remote hacker — anyone who has network accesses to one of the affected D-Link routers — to easily access the device, take control of it and potentially infiltrate additional devices and networks connected to it.
“D-Link has recently been made aware of potential vulnerabilities in some D-Link routers that could allow an intruder without the proper credentials to access the device’s web-configuration,” according Tuesday’s news announcement.
D-Link identified the additional affected models as: DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L and DIR-862.
In lieu of a patch, D-Link said mitigation against an attack includes “turning off the remote management function of the [affected] routers and [resetting] the routers with complicated passwords.”
What isn’t clear from the announcement is if the bug is similar to the vulnerability (CVE-2019-16920) discovered in October 2019 by FortiGuard Labs. That bug impacted 10 of the same SKUs of D-Link routers. Tuesday’s list of D-Link hardware include four never-before identified routers with an unauthorized RCE flaw – DIR-862, DIR-330, DGL-5500 and DIR-866.
Fortinet described that unauthenticated RCE vulnerability as occurring “when the attacker sends an arbitrary input to a ‘PingTest’ device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise.”
FortiGuard researcher Thanh Nguyen is credited with finding the flaw, cataloged as CVE-2019-16920. D-Link has not returned press requests for comment. Fortinet did not respond to questions ahead of publication.
D-Link is no stranger to vulnerabilities. In September, Trustwave SpiderLabs security researcher Simon Kenin discovered vulnerabilities in D-Link routers that can leak passwords for the devices, and which have the potential to affect every user on networks that use them for access. And in May, a researcher found attackers using the Google Cloud Platform to carry out three separate waves of DNS hijacking attacks against vulnerable D-Link and other consumer routers.
In 2017, it was revealed that the D-Link DIR-130 was one of 25 router models from 10 manufacturers that could be exploited by the Central Intelligence Agency using CherryBlossom exploit code, according to documents posted by WikiLeaks as part of the so-called Vault7 release. That same year, independent researcher Pierre Kim reported two D-Link router models (850L and AC1200) had multiple vulnerabilities that could allow a hacker to gain remote access and control of device.
More recently, white-hat hackers over the weekend competing at the Tianfu Cup successfully compromised D-Link’s DIR-878 router.