Stop me if you’ve heard this one before.
In May, Polish researcher Błażej Adamczyk of the Silesian University of Technology contacted D-Link to tell it he’d discovered a trio of important security flaws affecting eight of its Wi-Fi routers.
According to Adamczyk, D-Link replied two weeks later to say that two of the products would be patched in due course but that the remaining six were considered end of life (EOL), the implication being that they wouldn’t be updated.
After receiving no further communication regarding the vulnerabilities by September, he gave them one month to announce updates or he would make the flaws public.
Last Friday, 12 October, he held true to his word, revealing the vulnerabilities, which included a proof-of-concept video showing how they could be used together to compromise vulnerable models.
We haven’t had D-Link’s side of the story, in fairness, but on the face of it this looks like another example of how responsible disclosure can occasionally end in an uncomfortable impasse.
Affected D-Link models
The D-Link models affected are the DWR-116, DWR-140L, DWR-512, DWR-640L, DWR-712, DWR-912, DWR-921, and DWR-111, six of which date from 2013, with the DIR-640L first appearing in 2012 and the DWR-111 in 2014.
Not exactly new, then, but many still in use by happy owners unaware that these models are vulnerable to public security issues, six of which will likely never be updated.
Path traversal
The flaws themselves start with a path traversal flaw in the router web interface affecting all eight models which would allow an attacker to access files using an HTTP request.
Identified as CVE-2018-10822, this arose after a previous flaw, CVE-2017-6190, was reported fixed but seemed to have recurred, said Adamczyk.
Next up, CVE-2018-10824 is a plaintext password issue that also affects all eight models, which an attacker could retrieve using the path traversal weakness mentioned above.
Finally, CVE-2018-10823 affects six of eight models, and allows an attacker to run shell commands to take over the router. After awarding the combined flaws a 10 on the CVSS scale, Adamczyk concluded:
Taking all the three together it is easy to gain full router control including arbitrary code execution.
All that’s stopping an attacker from using the second of these is knowing where the plaintext password file is stored, which the PoC blanks out.
The issue of unpatched and never-to-be-patched routers has become a running theme. According to a recent American Consumer Institute (ACI) report, 155 out of 180 routers it analysed had unpatched flaws, equivalent to 172 each, 28% of which were rated high risk.
What’s irksome about the latest example of slow D-Link response is that it’s happened before in 2017 in an almost identical set of circumstances.
Different researcher, another group of older D-Link routers, but the same patchy response and outcome – the researcher reveals the flaws without fixes being available and little hope that they ever would be.
Our security advice is simple: when router makers say end of life, some of them really mean it.