D-Link Patches Two Remotely Exploitable Bugs in Firmware
Router company D-Link has patched two separate vulnerabilities in its firmware that could be exploited remotely and lead to takeover and arbitrary code execution.
Routers under the DCS-93xl umbrella, including the DCS-930L, DCS-931L, DCS-932L, and DCS-933L models, contain a hole that enabled remote authenticated attackers to upload their own files – in the location of their choosing – to the device. This could allow an attacker to create, modify or delete information. In addition the vulnerability could lead to arbitrary code execution.
The flaw lies in a vulnerable version of the router’s firmware, version 1.04, but an advisory on CERT’s Vulnerability Notes database published today stresses that versions before 2.0.17-b62, the most recent, patched build, could also be at risk.
The second issue D-Link patched was also a firmware vulnerability, present in its DAP-1320 Rev Ax firmware, version 1.11. CERT claims that a command injection vulnerability in the firmware’s update mechanism could have been hijacked. From there, a remote unauthenticated attacker could have easily executed commands on the device and had free reign of the mechanism.
[adsense size='1']
Users whose routers run either of the affected firmware are encouraged to update to the most recent versions, 2.0.17-b62 and 1.21b05, respectively.
Researchers with Tangible Security, a security firm headquartered in Maryland that’s previously worked with the Department of Homeland Security, the F.B.I. and other agencies, discovered the vulnerabilities and disclosed them to D-Link.
The router company recently fixed three critical security vulnerabilities in a multitude of its home routers that could have led to remote code execution, information disclosure and DNS hijacking. Model numbers DIR-626L, 808L, 820L, 826L, 830L, and 836L were all updated to reflect the fixes over the past two weeks or so.
Gloss