Security researchers at Palo Alto Network’s Unit 42 team have identified 6 vulnerabilities in the D-Link DIR-865L series of cloud wireless routers, one of which has been rated critical and the remaining 5 are rated high severity.
The D-Link DIR-865L series of routers reached end of life in February 2016; however, many are still in use and are vulnerable to attack. After being notified about the flaws, D-Link warned customers that as there is no further support or development, continued use of the routers is at customers own risk.
One of the vulnerabilities – CVE-2020-13782 – is a command-injection flaw (improper neutralization of special elements used in a command) that has been rated critical.
“The web interface for this router is controlled by the backend engine called cgibin.exe. Most requests for web pages are sent to this controller. If a request for scandir.sgi is made, a malicious actor can inject arbitrary code to be executed on the router with administrative privileges,” explained the researchers.
While the attack would require authentication, the exploit for the vulnerability could be paired with another vulnerability discovered by the Unit 42 team – CVE-2020-13786. Since the web interface is vulnerable to a cross site request forgery, an attacker could sniff web traffic and gain access to password-protected parts of the website.
The session cookie is randomly generated, but the algorithm uses a predictable seed in pseudo-random number generator (CVE-2020-13784). That means an attacker would be able to determine the session cookie from only the approximate time that the user logged on.
The other vulnerabilities concern inadequate encryption strength (CVE-2020-13785) and cleartext storage of sensitive information (CVE-2020-13783), although for sensitive information to be stolen, the attacker would need physical access to the device. The final vulnerability (CVE-2020-13787) concerns cleartext transmission of sensitive information, but only if the administrator chooses to implement WEB to secure the wireless network.
The routers are consumer grade, but it is possible with the number of employees working remotely that some of these may actually be used for business purposes and attacks on remote workers have increased considerably during the COVID-19 crisis.
Even though the routers reached end of life in 2016, D-Link released a “beta” patch (v1.20B01Beta01) to correct three of the flaws on May 26, 2020: The patch fixes the critical flaw CVE-2020-13786, and CVE-2020-13785 and CVE-2020-13783.
If the router cannot be upgraded, the latest version of the firmware should be installed, all traffic should be defaulted to HTTPS to prevent session hacking attacks, and the time zone should be changed to foil attempts to guess the session ID.