Root command injection flaw could allow attackers to take over vulnerable routers...
A previously undisclosed vulnerability has been discovered in VPN routers from D-Link that could allow an attacker to take full control over the affected devices.
The Vulnerability Research Team (VRT) at the threat management firm Digital Defense discovered a root command injection flaw in D-Link's DSR-150, DSR-250, DSR-250, DSR-500 and DSR-1000AC VPN routers.
Devices running firmware version 3.14 and 3.17 are vulnerable to potential attacks and this is made worse by the fact that D-Link's VPN routers are commonly available on many popular ecommerce sites such as Amazon Best Buy, Office Depot and Walmart.
As more employees are working from home during the pandemic, some might be connecting to corporate networks using one of the affected devices which could put organizations at risk as well.
Command injection flaw
The vulnerable component of D-Link's VPN routers is accessible without authentication from both WAN and LAN interfaces and the flaw could even be exploited over the internet.
Additionally, a remote, unauthenticated attacker with access to the router's web interface could execute arbitrary commands as root which would effectively give them complete control of the router. With this access, an attacker could intercept or modify traffic, cause denial of service conditions and launch further attacks on other assets as D-Link routers can simultaneously connect to up to 15 devices.
SVP of engineering at Digital Defense Mike cotton explained how the firm responsibly disclosed the vulnerability to D-Link in a press release, saying:
“Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. The Digital Defense VRT reached out to D-Link who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.”D-Link has now patched the flaw and released updated firmware for all of the affected routers. Users can check out the company's advisory on the issue for more information and it is highly recommended that they download and install the updated firmware for their device.
-
Computers and Accessories NETGEAR Nighthawk X4S Smart WiFi Router (R7800) – AC2600 Wireless Speed (up to 2600 Mbps) | Up to 2500 sq ft Coverage… $99.95 Buy Now
-
-
-
-
Computers and Accessories D-Link Dual WAN 4-Port Gigabit Wireless AC VPN Router, 2 Gigabit WAN, 950Mbps Firewall Throughput, IPSec, PPTP/L2TP, GRE… $329.99 Buy Now
-
Computers and Accessories NETGEAR Orbi Tri-band Whole Home Mesh WiFi System with 2.2Gbps speed (RBK23) – Router & Extender replacement covers up… $593.99 Buy Now
-
Computers and Accessories TP-Link AC1900 Smart WiFi Router – High Speed MU- MIMO Router, Dual Band, Gigabit, VPN Server, Beamforming, Smart… $113.66 Buy Now
-
Computers and Accessories TP-Link TL-R600VPN Gigabit Broadband VPN Router, 1 Gigabit WAN port + 4 Gigabit LAN ports, Supports IPsec, PPTP, L2TP… $186.09 Buy Now
-
Computers and Accessories TP-Link AC2600 Smart WiFi Router – High Speed MU-MIMO Router, Dual Band, Gigabit, Beamforming, VPN Server, Smart Connect… $89.99 Buy Now
-
Computers and Accessories ASUS Gaming Router Tri-Band WiFi (Up to 5334 Mbps) for VR & 4K Streaming, 1.8GHz Quad-Core Processor, Gaming Port, Whole… $530.62 Buy Now
-
Computers and Accessories NETGEAR Orbi Pro AC3000 Business Mesh WiFi System, Indoor Expansion, Wireless Access Point (SRS60) $219.99 Buy Now
-
Computers and Accessories NETGEAR Orbi Pro Tri-Band WiFi System for Business with 3Gbps speed (SRK60) | 2-Pack includes 1 router & 1 wall-mount… $389.99 Buy Now
-
Computers and Accessories NETGEAR Orbi Tri-band Whole Home Mesh WiFi System with 3Gbps Speed (RBK50) – Router & Extender replacement covers up to… $399.00 Buy Now