D-Link has released new firmware for its DAP-1320 wireless range extender and the DCS-93xL family of Wi-Fi cameras in order to patch two critical vulnerabilities that can lead to device hijacking.
The vulnerabilities were discovered by researchers from Tangible Security and responsibly disclosed to D-Link.
The first one, affecting the Wi-Fi range extender, is a Command Injection Vulnerability affecting the firmware update mechanism. “By allowing a command injection attack, an attacker could compromise the system and subvert it for the attacker’s purpose, for example sniffing passwords from the wifi users. There are security impacts to the confidentially, integrity, and availability of the device and its services,” the researchers explained.
D-Link advises all users to update to the latest version of the firmware (1.21b05).
The vulnerability affecting the DCS-93xL family of devices is found in a hidden webpage on the device, which can allow an attacker to upload arbitrary files from the his or her system.
“By allowing any file in the file system to be overwritten, the attacker is allowed to overwrite functionality of the device. The unintended functionality reveals details that could lead to further exploitation,” the researchers pointed out.
Users are advised to use mydlink lite mobile application to update their firmware as soon as possible.
“Tangible Security is unaware of any public exploits of these vulnerabilities. However, due to the categorization of these vulnerabilities, it may be reasonable to believe that cyber criminals are doing so,” the researchers concluded.