Stop me if you’ve heard this one before.
In May, Polish researcher Błażej Adamczyk of the Silesian University of Technology contacted D-Link to tell it he’d discovered a trio of important security flaws affecting eight of its Wi-Fi routers.
According to Adamczyk, D-Link replied two weeks later to say that two of the products would be patched in due course but that the remaining six were considered end of life (EOL), the implication being that they wouldn’t be updated.
After receiving no further communication regarding the vulnerabilities by September, he gave them one month to announce updates or he would make the flaws public.
Last Friday, 12 October, he held true to his word, revealing the vulnerabilities, which included a proof-of-concept video showing how they could be used together to compromise vulnerable models.
We haven’t had D-Link’s side of the story, in fairness, but on the face of it this looks like another example of how responsible disclosure can occasionally end in an uncomfortable impasse.
Affected D-Link models
The D-Link models affected are the DWR-116, DWR-140L, DWR-512, DWR-640L, DWR-712, DWR-912, DWR-921, and DWR-111, six of which date from 2013, with the DIR-640L first appearing in 2012 and the DWR-111 in 2014.
Not exactly new, then, but many still in use by happy owners unaware that these models are vulnerable to public security issues, six of which will likely never be updated.
Path traversal
The flaws themselves start with a path traversal flaw in the router web interface affecting all eight models which would allow an attacker to access files using an HTTP request.
Identified as CVE-2018-10822, this arose after a previous flaw, CVE-2017-6190, was reported fixed but seemed to have recurred, said Adamczyk.
Next up, CVE-2018-10824 is a plaintext password issue that also affects all eight models, which an attacker could retrieve using the path traversal weakness mentioned above.
Finally, CVE-2018-10823 affects six of eight models, and allows an attacker to run shell commands to take over the router. After awarding the combined flaws a 10 on the CVSS scale, Adamczyk concluded:
Taking all the three together it is easy to gain full router control including arbitrary code execution.
All that’s stopping an attacker from using the second of these is knowing where the plaintext password file is stored, which the PoC blanks out.
The issue of unpatched and never-to-be-patched routers has become a running theme. According to a recent American Consumer Institute (ACI) report, 155 out of 180 routers it analysed had unpatched flaws, equivalent to 172 each, 28% of which were rated high risk.
What’s irksome about the latest example of slow D-Link response is that it’s happened before in 2017 in an almost identical set of circumstances.
Different researcher, another group of older D-Link routers, but the same patchy response and outcome – the researcher reveals the flaws without fixes being available and little hope that they ever would be.
Our security advice is simple: when router makers say end of life, some of them really mean it.
Anonymous
In OpenWrt We trust!
Paul Ducklin
It’s great that LEDE and OpenWRT never got around to finalising their divorce and have now got back together and completed two releases under the re-unified OpenWRT banner.
Jim Gersetich
D-Link lost my confidence completely when a firmware patch of my then-new router bricked it. They wouldn’t do anything about it, saying they didn’t warranty against firmware changes.
After picking my jaw off the desk, I asked them to clarify. They did: since the firmware (which came directly from their website) wasn’t part of the in-the-store product I bought, they wouldn’t fix it or replace it.
It was their top-of-the-line consumer model. I was floored. Ever since then, I have steered every company and person I’ve worked for or with away from them.
This current incident, like the last, has just clarified that I’ve made the right decision. It cost me $300, but I’m sure I’ve steered 10s of thousands of dollars away from them since.
Dave Alford
Of course government could legislate that equipment running code should be fully supported for say 10years from when it goes EOL. We legislate for electrical and fire safety, why not code safety. Hell, they could even include a ‘kill by’ date after which the equipment stops working.
Kattz
I’m not familiar with these models because I have been using routers that can be flashed with open source firmware for years. I do my own updates.
Some routers are never updated because they are cheap and there is little profit. But, in some cases these types of routers are always full of security holes. There should be some sort of accountability when the manufacturer hasn’t done even rudimentary testing. It puts us all at risk.
One of the next things to be exploited is probably those cheap Android TV boxes. Most are sold rooted, they’re never updated and the firmware is questionable in the first place. There are millions of them out there That’s to be the next botnet.
D-Link SIRT
D-Link SIRT :: For Accurate and Up to Date information regarding this issue please go to: https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10093