D-Link VPN Router Vulnerabilities
Digital Defense, Inc. is disclosing vulnerabilities identified in D-Link VPN routers discovered by our Vulnerability Research Team (VRT). The engineers at D-Link were prompt in their response when notified of the flaws and have provided hot fixes for these cyber security issues.
D-Link has made a patch in the form of a hotfix for the affected firmware versions and models. Reference the information provided in D-Link’s support announcement. The official firmware release is anticipated in mid-December. Users are advised to verify their hardware model and firmware to identify vulnerable devices and apply provided hotfix and any other updates until the official firmware is available.
Users of Digital Defense’s Frontline.Cloud platform can sweep for the presence of these issue in Frontline VM by performing a full vulnerability assessment scan or selecting CVC D-Link Unified Services Router Multiple Vulnerabilities (142411).
Details of the vulnerabilities are as follows:
Summary:
DDI-VRT-2020-01 – D-Link VPN Routers Unauthenticated Remote Root Command Injection (CVE-2020-25757)
DDI-VRT-2020-02 – D-Link VPN Routers Authenticated Root Command Injection (CVE-2020-25759)
DDI-VRT-2020-03 – D-Link VPN Routers Authenticated Crontab Injection (CVE-2020-25758)
Details
Vulnerability:
D-Link Unauthenticated & Authenticated Command Injection Vulnerabilities
Impact:
Unauthenticated attackers could execute arbitrary commands with root privileges.
Application/Version Affected:
DSR-150, DSR-250, DSR-500, DSR-1000AC
Firmware versions v3.17 and earlier
Details:
D-Link VPN Routers using the Unified Services Router web interface exhibit multiple flaws which could allow a remote attacker to execute arbitrary commands with root privileges.
The first issue is accessible without authentication requiring only the web interface be available to execute arbitrary code via a lua library that passes user-supplied data to a call as part of a command to calculate a hash.
The second issue requires authentication and exploits the Package Management form in the web interface which lacks server-side filtering for multi-part POST payloads.
On the third issue, D-Link acknowledges as intended device functionality.