D-Link Patches Zero-Day Vulnerabilities, Others Still Remain

Networking equipment maker D-Link has released a patch for a series of vulnerabilities affecting one of its routers. The security flaws, disclosed publicly almost two weeks ago without alerting the manufacturer, could allow a hacker to fully control the device through various methods. Issues have been reported for other devices, but an update is not available yet.

Security researcher Pierre Kim published on Sept. 7 full details of 18 vulnerabilities in the D-Link DIR-850 gigabit router, revisions A and B, and on the insecure data transmission to MyDlink – a cloud platform that offers remote access to the device’s administration console. Kim reported vulnerabilities to D-Link in February, but says the company did not acknowledge his effort and did a poor job fixing them; so the researcher this time released the information without giving the vendor time to prepare a patch.

As announced on their support forum, D-Link made available on Tuesday a new firmware for DIR-850. The update fixes 14 of the 16 problems Kim uncovered in the router. One risk that remains is backdoor access using credentials, which are now public. The other targets the Dynamic Host Configuration Protocol (DHCP) client, which can pass commands that the system executes with the highest privileges. Both allow an attacker to communicate with the device via a telnet connection, but only the second one establishes communication from outside the local network.

At least three other models have problems that can be exploited to infect them with malware for distributed denial-of-service attacks. In fact, the hardware security company that discovered the bugs, Embedi, has successfully compromised D-Link’s DIR-890L, DIR-885L and DIR-895L, in a test with a variant of Mirai they created.  Researchers say other DIR-8xx models are also at risk.

Embedi tried to disclose the flaws responsibly, but saw a lack of coordination similar to what Pierre Kim experienced earlier this year. They contacted the Taiwanese maker at the end of April and, after four months of unproductive on-and-off correspondence, Embedi found on D-Link’s support page for one device a beta firmware release that removed one of the three bugs they had reported.

“D-Link has closed one of the detected vulnerabilities in the DIR890L router only, leaving other devices unsafe. Two other vulnerabilities were (and are still) ignored by the developer,” the researchers wrote in their report.

At the moment of writing, only DIR-850L benefits from an updated firmware. For the other affected routers, the most recent firmware version is a beta release from July for DIR-890L. Users are advised to apply the latest updates from the manufacturer as they roll out, or install alternative firmware that is maintained more actively and is compatible with their devices (e.g. DD-WRT, Tomato, Lede).

Credit: D-Link