Six high-severity vulnerabilities have been discovered in the D-Link’s wireless home router that could allow attackers to execute arbitrary commands, obtain unauthenticated access to the device, steal sensitive files, upload malicious files or delete essential files.
In late February, security researchers at Palo Alto Network’s Unit 42 found these vulnerabilities affecting D-Link’s DIR-865L wireless cloud router, which is meant for home network use.
Gregory Basior from the Palo Alto’s research team who reported these high-severity vulnerabilities, says that, by combining these vulnerabilities, hackers can sniff network traffic to steal session cookies.
“With this information, they can access the administrative portal for file sharing, giving them the ability to upload arbitrary malicious files, download sensitive files, or delete essential files. They can also use the cookie to run arbitrary commands to conduct a denial of service attacks,” Gregory described.
Following vulnerabilities are discovered in D-Link device/s:
- CVE-2020-13785: Inadequate Encryption Strength
- CVE-2020-13782: Improper Neutralization of Special Elements used in a Command (Command Injection)
- CVE-2020-13784: Predictable seed in a pseudo-random number generator
- CVE-2020-13783: Cleartext storage of sensitive information
- CVE-2020-13786: Cross-Site Request Forgery (CSRF)
- CVE-2020-13787: Cleartext transmission of sensitive information
“It is possible that some of these vulnerabilities are also present in newer models of the router because they share a similar codebase,” researchers further said in the report.
After the discovery, Palo Alto’s Unit42 researchers immediately notified D-Link about the vulnerabilities in their product/s.
In May 2020, D-Link released the partial fixes for only three of the six reported vulnerabilities.
- Cross-Site Request Forgery (CSRF)
- Inadequate Encryption Strength
- Cleartext Storage of Sensitive Information
“For US consumers, D-Link recommends this product be retired, and any further use may be a risk to devices connected to it and end-users connected to it,” D-link highlighted in their announcement made on Friday . “Owners of the DIR-865L who use this product beyond EOS, at their own risk, should manually update to the latest firmware. These beta releases are a result of investigating and understanding the report and out complete investigation of the entire family of products that may be affected”.
The current trend of working from home is increasing the likelihood of malicious attacks against home networks, it is recommended that everyone should keep their network devices updated with the latest version in order to stay safe from the cybercriminals.