World Safety
World Safety

D-Link VPN routers have more major security issues

  • Data Protection

    D-Link VPN routers have more major security issues

    Posted by Nigel Brown on 8 December 2020 at 9:12 pm

    Root command injection flaw could allow attackers to take over vulnerable routers.

    A previously undisclosed vulnerability has been discovered in VPN routers from D Link that could allow an attacker to take full control over the affected devices.

    The Vulnerability Research Team (VRT) at the threat management firm digital defence discovered a root command injection flaw in D-Link’s DSR-150, DSR-250, DSR-250, DSR-500 and DSR-1000AC VPN routers.

    Devices running firmware version 3.14 and 3.17 are vulnerable to potential attacks and this is made worse by the fact that D-Link’s VPN routers are commonly available on many popular ecommerce sites such as Amazon Best Buy, Office Depot and Walmart.

    As more employees are working from home during the pandemic, some might be connecting to corporate networks using one of the affected devices which could put organizations at risk as well.

    Command injection flaw

    The vulnerable component of D-Link’s VPN routers is accessible without authentication from both WAN and LAN interfaces and the flaw could even be exploited over the internet.

    Additionally, a remote, unauthenticated attacker with access to the router’s web interface could execute arbitrary commands as root which would effectively give them complete control of the router. With this access, an attacker could intercept or modify traffic, cause denial of service conditions and launch further attacks on other assets as D-Link routers can simultaneously connect to up to 15 devices.

    SVP of engineering at Digital Defense Mike cotton explained how the firm responsibly disclosed the vulnerability to D-Link in a press release, saying:

    “Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. The Digital Defense VRT reached out to D-Link who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.”

    D-Link has now patched the flaw and released updated firmware for all of the affected routers. Users can check out the company’s advisory on the issue for more information and it is highly recommended that they download and install the updated firmware for their device.

    03E17236-D5BE-4C75-A13D-397E75D67227
    Nigel Brown replied 3 years, 10 months ago 1 Member · 0 Replies
  • 0 Replies

Sorry, there were no replies found.

Log in to reply.

Start of Discussion
0 of 0 replies June 2018
Now

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .