D-Link fixes critical router flaws
D-Link has released new firmware for its DIR-820L Wi-Fi dual band cloud router, which fixes a number of security vulnerabilities. One of these can apparently be exploited by attackers to gain full access to the device independently of whether the “WAN management” option is enabled on the device or not.
“First vulnerability reportedly relates to a malicious user who might be be connected to the LAN-side of the device to use the devices upload utility to load malicious code without authentication. A second vulnerability reportedly relates to the device’s ping utility that might permit command injection without authentication. A third vulnerability reportedly may exploit certain chipset utilities in firmware to potentially permit a malicious user an attack disclosing information about the devices configuration,” D-Link noted in a security advisory released on Monday.
More technical details about the vulnerabilities can be in the document compiled by their discoverer, systems/network engineer Peter Adkins, who notified D-Link of the issues in early January.
The company has announced that firmware updates for other affected devices – DIR-626L, DIR-636L, DIR-808L, DIR-810L, DIR-826L, DIR-830L, and DIR-836L – will most likely be made available by March 10.
A router made by TRENDnet – TRENDnet TEW-731BR – has also been sporting the same vulnerabilities, and they fixed them with a firmware update pushed out on February 10.
D-Link advises updating the firmware on affected devices as soon as possible, and disabling remote administrative access and/or verifying the device’s remote administrative access feature is disabled (it’s disabled by default).
“The long and short of it is: it’s probably better to use something like µBlock and blacklist your router IP – to mitigate unwanted CSRF calls against your device – while we wait for a vendor fix,” says Adkins.
D-Link has yet to come up with a fix for the DNS hijacking flaw recently flagged by security researcher Todor Donev.