D-Link routers vulnerable to remotely exploitable root command injection flaw

The Digital Defense Vulnerability Research Team uncovered a previously undisclosed vulnerability affecting D-Link VPN routers. D-Link DSR-150, DSR-250, DSR-500 and DSR-1000AC VPN routers running firmware version 3.14 and 3.17 are vulnerable to a remotely exploitable root command injection flaw.

These devices are commonly available on consumer websites/ecommerce sites such as Amazon, Best Buy, Office Depot and Walmart. Given the rise in work-from-home due to the pandemic, more employees may be connecting to corporate networks using one of the affected devices.

Accessible without authentication

The vulnerable component of these devices is accessible without authentication. From both WAN and LAN interfaces, this vulnerability could be exploited over the internet. Consequently, a remote, unauthenticated attacker with access to the router’s web interface could execute arbitrary commands as root, effectively gaining complete control of the router.

With this access, an attacker could intercept and/or modify traffic, cause denial of service conditions and launch further attacks on other assets. D-Link routers can connect up to 15 other devices simultaneously.

Updates are available

“Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. The Digital Defense VRT reached out to D-Link who worked diligently on a patch.

“We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability,” states Mike Cotton, senior vice president of engineering at Digital Defense.

D-Link’s advisory provides more details about the updates that have been released, which should be applied.