In the past few months, there has been a rise in remote working, all the byproduct of the pandemic at hand. In such times, attacking devices that make work-from-home possible has been a key focus of attackers.
One such case has surfaced once again when researchers from the Palo Alto Network’s Unit 42 have discovered a total of 6 vulnerabilities in D-Link’s DIR-865L which is geared towards home network usage.
Found in February 2020 and only reported a couple of days ago; it is also possible that other newer models are also vulnerable as according to the researchers, they “share a similar codebase”.
1. CVE-2020-13782 – Malicious Code Injection
Firstly, a backend engine named cgibin.exe controls the web interface for the router. This is fine in itself but when a very specific request is made, “arbitrary code” can be executed with unlimited permissions.
The only caveat is that authentication is required but this too can be bypassed if the attacker manages to gain access to “an active session cookie” through a Cross-Site Request Forgery attack which is detailed below.
2. CVE-2020-13786 – CSRF
Secondly, many pages on the web portal happen to be vulnerable to something called a Cross-Site Request Forgery (CSRF). In such a case, the attackers can monitor or sniff the existing web traffic to find out critical information that can allow them to access restricted portions of the website all without a password.
Due to the nature of CSRF, this makes it very easy for the penetrators to read and write both legitimate & malicious data.
3. CVE-2020-13785 – Lack of Encryption
On port #8181 of another web portal named SharePort designed for file sharing, sadly, there is a lack of encryption measures taken which enable attackers to sift through plain text information and calculate a user’s password through a brute-force attack.
4. CVE-2020-13784 – Calculating Session Cookies
Every time a session cookie is generated, a random process is used. However, what happens when this process in itself can be predicted? That’s exactly what happened here with the attackers being able to figure out someone’s session cookie if they find out the time that particular user has been logged in for. What makes it more deadly is that it works regardless if encryption is enabled or not.
You can guard against this by simply changing the time zone of your router.
5. CVE-2020-13783 – Plain Text Password
On a page called tools_admin.php, the password of the admin is stored in plain text. If you’ve been following cybersecurity for a while, you know this is problematic. In this case too although a threat actor cannot steal the password remotely due to it not being sent in plain text “over the wire”, nonetheless, if they gain physical access to the computer, all they need to do is find the file and ta-da!
Considering that the router is for home usage, it can be very easy for someone to social engineer their way in.
6. CVE-2020-13787 – Weak Wifi Protocol
Lastly, users have an option to set up a guest wifi network by themselves on a page named “adv_gzone.php”. During the process, they are also allowed to choose a security protocol of their own choice, one option being Wired Equivalent Privacy (WEP) which has been outdated for more than 15 years now.
However, if they do choose it, WEP transmits all passwords in the plain text allowing attackers sniffing to learn of such sensitive info.
In a blog post, Palo Alto Network’s Unit 42’s researchers warned that,
The D-Link DIR-865L home wireless router has multiple vulnerabilities. Due to the number of people working from home, malicious actors have an incentive to attack routers meant for home networks.
These vulnerabilities can be used together to run arbitrary commands, exfiltrate data, upload malware, delete data, or steal user credentials. These attacks are easiest to conduct if the router is set up to use HTTP, but a sophisticated attacker can still calculate the required session information if the router uses HTTPS.
To conclude, for the future, it is important to make sure all of your traffic is being encrypted as this can help prevent “session hijacking attacks” as seen above.
Moreover, the researchers recommend that you do not share any confidential or sensitive data using this model for the time being until a patch is installed.
Currently, though, only a beta patch has been released and you may have to manually configure it. We’ll keep on updating you on HackRead.com regarding any future updates on this topic.