Introduction
In the past post we introduced you to NetUSB bug which made millions of routers vulnerable to a simple buffer overflow. Today Search-Lab team has uncovered a D-Link vulnerability allowing hackers to conduct remote hacking. D-Link products are affected with more than 50 vulnerabilities including NAS (Network Attached Storage) and Network Video Recorder (NVR). These vulnerabilities reside in latest official patch dated 30-07-2014. According to Search-Lab, these devices are affected with remote exploitation vulnerability which allows attackers to run arbitrary code on a device and gain full control.
Affected Devices
Main targeted devices during the assessment:
– DNS-320, Revision A: 2.03, 13/05/2013
– DNS-320L, 1.03b04, 11/11/2013
– DNS-327L, 1.02, 02/07/2014
– DNR-326, 1.40b03, 7/19/2013
Other devices were influenced by one or more vulnerabilities:
– DNS-320B, 1,02b01, 23/04/2014
– DNS-345, 1.03b06, 30/07/2014
– DNS-325, 1.05b03, 30/12/2013
– DNS-322L, 2.00b07
Short Details
- Attackers can use default user name such as root/nobody for authentication, so that administrator is not able to change default password for these users.
- Authentication bypass bug can be used to take full control without exploitation or programming needs.
- The session management part of the code allows cyber attacker to perform unauthenticated file upload to desired location
CVE
There are following CVEs available concerning vulnerabilities:
– CVE-2014-7858: Check_login bypass vulnerability in DNR-326
– CVE-2014-7859: Buffer overflow in login_mgr.cgi and in file_sharing.cgi
– CVE-2014-7860: Unauthenticated photo publish
Recommendations
Most of the vulnerabilities were fixed in:
– DNS-320L 1.04.B12
– DNS-327L 1.03.B04
Some of the vulnerabilities were fixed in:
– DNR-326 2.10.B03
– DNR-322L 2.10.B03
Don’t expose your devices web interface to the internet and disable UPnP in the router.