D-Link Routers at Risk for Remote Takeover from Zero-Day Flaws
#1
Information 
Quote:Buggy firmware opens a number of D-Link VPN router models to zero-day attacks. The flaws, which lack a complete vendor fix, allow adversaries to launch root command injection attacks that can be executed remotely and allow for device takeover.
 
Impacted are D-Link router models DSR-150, DSR-250, DSR-500 and DSR-1000AC VPN running firmware version 3.14 and 3.17, according to a report published Tuesday by Digital Defense. The attacks are dependent on three chained bugs identified by researchers as an unauthenticated remote LAN/WAN root command injection flaw, authenticated root command injection vulnerability and an authenticated crontab injection.
 
The flaws (CVE-2020-25757, CVE-2020-25759, CVE-2020-25758) were confirmed by D-Link. However, the company says beta firmware patches and hot-patch mitigations available for its DSR-150, DSR-250 and DSR-500 models significantly reduce the ability for an adversary to target a vulnerable router.
 
“The two vulnerabilities were confirmed, and patches are under development. One of the reported vulnerabilities is how the device functionally works, and D-Link will not correct it on this generation of products,” D-Link wrote in response to the research.
 
Some of the impacted router models were first introduced in 2012 and appear to lack the same type of patching cadence as more modern D-Link router models. For example, D-Link’s DSR-150, was released over seven-years ago.
 
Absent from the D-Link support page is information or fixes for more recent router models DSR-500 and DSR-1000AC VPN. Both were identified by Digital Defense as vulnerable to remotely exploitable root command injection flaws.

Read more: https://threatpost.com/d-link-routers-ze...ws/162064/
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
NanaZip 6.5 Update (6.5.1767.0)
NanaZip 6.5 Update...harlan4096 — 19:15
Microsoft Edge 150 Adds Google Account S...
Microsoft has adde...harlan4096 — 10:26
Free Download Manager 6.34.2.6926
Changes in 6.34.2....harlan4096 — 09:37
Bitdefender 27.0.60.341
Latest version of ...harlan4096 — 09:34
Microsoft Edge 150.0.4078.48
Version 150.0.4078...harlan4096 — 09:33

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (47)dapedDow
avatar (49)TromPerl
avatar (46)RidgeDimb
avatar (37)ipumaqar
avatar (51)tanliorsPeri
avatar (43)lapedDow
avatar (49)rituabew
avatar (37)omyjul
avatar (41)papedDow
avatar (50)ArnoldFum
avatar (38)yfaza
avatar (49)Kevensi
avatar (48)ConradRoand
avatar (39)boineDon
avatar (51)spoofTum
avatar (50)WillieVot
avatar (40)Grompelbawn
avatar (41)vkseogaF
avatar (37)usogy
avatar (40)ywixazok
avatar (38)ixoqe
avatar (56)Step 1
avatar (36)pa.OpenTran

[-]
Online Staff
There are no staff members currently online.

>