Digital Defense, Inc.’s Vulnerability Research Team (VRT) reported this week that attackers are able to gain root access and take over devices running the same firmware.

If you have a D-Link Router, there’s a chance your firmware could be riddled with bugs and therefore vulnerable to zero-day attacks. Unlike cloud-based services, which are managed by the supplier, VPN appliances such as D-Link often require patching to resolve bugs and add new features.

Due to the nature of this type of attack, there is currently no vendor fix for this, which means hackers have capabilities to instigate root command injection attacks remotely and initiate device takeover.

The D-Link Router models impacted are as follows:

  • DSR-150
  • DSR-250
  • DSR-500
  • DSR-1000AC VPN (running firmware version 3.14 & 3.17)

The VRT found in their research that adversaries are able to attack if the firmware is hosting three chained bugs, which they identified as an: Unauthenticated Root Command Injection Flaw (CVE-2020-25757), Authenticated Root Command Injection (CVE-2020-25759) and an Authenticated Crontab Injection (CVE-2020-25758).

In response to the findings, D-Link have confirmed that the flaws do exist in the firmware. For users of the affected models, D-Link are offering beta firmware patches and hot-patch mitigations which they claim to substantially decrease the opportunity for an attack.
However, as one of the flaws is regarding how the device functionally works, and they will not be looking to correct a product of this age.

To add some background to this, some of these routers were released in 2012 and were not patched as securely as the recent generations.

Much to the despair of D-Link customers, their support page lacks practical advice for tackling the issues associated with DSR-500 and DSR-1000AC VPN. These are newer models and as best practice, this should have been addressed particularly as they have been identified as remotely exploitable root command injection flaws.

Mitigated Risk to Corporations via D-Link Routers

The newly discovered vulnerabilities not only pose a certain level of risk to owners of the D-Link Router device, but also to their employers. These routers are often purchased by organizations that require them to provide remote workers VPN access to the corporate network from home. Due to the uptick in remote work in response to the global pandemic, this risk is further amplified for businesses.

What’s concerning about this vulnerability, is attackers are able to gain complete control of the router. Attackers are able to exploit this remotely without authentication via the internet using both WAN and LAN interfaces. Once they’re in, they can gain access to the router’s web interface and execute arbitrary commands as root. As a result, the initiator can direct traffic and connect to up to 15 devices – which creates a multitude of problems for organizations and their data.

To find out more you can read the full Digital Defense report here.

Digital Defense technical details on D-Link Router flaws

Digital Defense also provided some technical details about the bug. During their investigation they found that the D-Link Routers using the Unified Services Router web interface exhibited several flaws which enabled remote attackers to execute arbitrary commands with root privileges.

They found the Unauthenticated Root Command Injection Flaw (CVE-2020-25757) to be accessible without authentication using the web interface and entering arbitrary code through the lua library that passes user-supplied data to a call as part of a command to calculate a hash.

The second flaw they discovered, Authenticated Root Command Injection (CVE-2020-25759), imposes a different type of exploitation and is found to need authentication. The attack can then use the Package Management form which is hosted in the web interface, and doesn’t have server-side filtering for multi-part POST payloads.

Authenticated Crontab Injection (CVE-2020-25758), the final flaw discovered, D-link confirmed aforementioned as intended device functionality due to the generation of those particular models.

Roadmap for Patches & Temporary Fixes

D-Link have announced that they are currently working on the final patches for flaws CVE-2020-25757 and CVE-2020-25759 and aim to have these available for beta in mid-December 2020.

Their advice to current customers for now is to check both hardware and firmware versions to analyse potential risk, then to use the provided hotfix and deploy any updates to the device.

In light of the changes to the working nature this year, companies should be vigilant about this vulnerability and communicate this to their end users. As organizations have clambered to adopt new remote working strategies, the rapid rate of deploying this and extending their network perimeter has left many areas overlooked. Find out more about overcoming these issues here.

Alternatively, if you’re seeking advice on how to move away from legacy and risky VPN connections, you can find out more about how a ZTNA security solution is not only more seamless in terms of security, but also speed in our article here.