Details of recently patched vulnerabilities laid bare
Security researchers from Trustwave have lifted the lid on a raft of recently revealed security vulnerabilities in routers from D-Link.
Five vulnerabilities in the DSL-2888A router, a higher end, consumer-grade Gigabit ADSL2+ modem router, were patched by the network equipment manufacturer on October 30 in response to research from Trustwave SpiderLabs.
In a technical blog post, published on Thursday (December 17), Trustwave explains how these various vulnerabilities permitted potential attackers to gain unauthorized access to the router web interface, obtain the router password hash, gain plaintext credentials, and execute system commands on a vulnerable device.
Five for five
The first of these flaws (CVE-2020-24579) meant the admin web portal for the router was accessible to any user on the same network without a valid password.
The upshot of this insufficient authentication vulnerability was that even though the “application will inform the user that the password is invalid”, the user would nonetheless achieve access.
A second flaw (CVE-2020-24577) meant that once access to a network is achieved, a hacker could obtain the internet provider username and password in plaintext form.
Moving on from that howler comes another beauty: an FTP misconfiguration bug (CVE-2020-24578) related to file-sharing functionality that allowed a network user to escape the shared folder to access the router file system and download other files located on the root folder.
This creates a mechanism to steal password hashes, among other exploits.
A fourth flaw (CVE-2020-24581) would let even an authenticated user execute Linux operation system commands in the router via hidden functionality not available on the router’s web portal interface.
Harold Zang, the technical specialist at Trustwave SpiderLabs who discovered the vulnerabilities, said this flaw created a means to plant backdoors on vulnerable devices.
“The ability to execute operating system commands on a router will allow an attacker to monitor network traffic to steal sensitive data including login credentials, this might also allow a malicious user to install backdoors on the router,” Zang writes.
YOU MIGHT ALSO LIKE P2P mobile file transfer apps open to attacks, researcher finds
The last vulnerability (CVE-2020-24580) was another insufficient authentication vulnerability.
The router uses the source IP address of a connecting user to perform authentication, potentially allowing a hacker capable of spoofing the IP address of a legitimate user with a valid session.
This might, at least in theory, include an administrator providing that a privileged user had a session open at the time.
Karl Sigler, senior threat intelligence manager at Trustwave, said: “Users that own this router should apply the firmware update available from D-Link to patch these issues.
“Until a patch can be put in place, users should make sure that the router is configured so that administration of the device can only be performed from the local network and not via the public internet.”
Sigler told The Daily Swig that the flaws might lend themselves to manipulator-in-the-middle attacks.
“The worst of these flaws allow to completely bypass authentication and gain full control of the router itself,” Sigler said.
“That’s pretty much as bad as it gets. Since the router is a network choke point, that means a successful attack could potentially compromise all traffic on that network.”
The Daily Swig contacted D-Link with a request to comment. No word back as yet, but we’ll update this story once more information comes to hand.