Thousands of D-Link VPN routers are at risk of arbitrary code injection and device takeover attacks due to critical zero-day vulnerabilities.
Three critical zero-day flaws have been discovered in D-Link VPN routers that make them vulnerable to root command injection and execution. Digital Defense security researchers who uncovered the zero-day bugs affecting D-Link VPN routers told Toolbox if an attacker manages to exploit the router and gain control over it, s/he would be in a position to observe and modify network traffic of local and VPN clients.
The security researchers could locate around a thousand or so instances of vulnerable devices with remote management enabled.
The three vulnerabilities, tracked CVE-2020-25757Opens a new window , CVE-2020-25758Opens a new window , CVE-2020-25759Opens a new window , impact D-Link VPN router models DSR-150, DSR-250, DSR-500 and DSR-1000AC, which have firmware versions 3.14 and 3.17 installed.
One of these vulnerabilities, D-Link stated, “is how the device functionally works, and D-Link will not correct it on this generation of products.†Patches for the remaining two are being developed and will be available by mid-December.
See Also: Critical Code-Execution Bug in Cisco VPN Can Be Exploited in the Wild
Talking about the severity of the vulnerability, the Digital Defense researcher said, “If an attacker were to leverage this vulnerability against a router over the internet, they could then use the access gained from this to probe and attack LAN and VPN clients of the router.â€
Here’s a detailed look at the three zero-day flaws:
CVE-2020-25757: anyone with access to the Unified Services Router web interface over the internet is in a position to execute arbitrary commands at the device root-level. This means the devices are vulnerable to unauthenticated attackers over the internet.
CVE-2020-25759:Â this bug allows arbitrary code injection with root privileges only to authenticated users with access to the Unified Services Router web interface of the vulnerable D-Link device. A fix can be expected soon.
CVE-2020-25758: allows authenticated users to inject CRON entries into the device arbitrarily. Digital Defense said these entries are executed with root privileges by modifying a downloaded router configuration file, updating the CRC, and reuploading the resulting crafted configuration file. D-Link acknowledges this as intended device functionality and classifies it as a low-threat bug, which can be mitigated once the previous two arbitrary code injection bugs are patched.
Amidst a global pandemic, businesses and consumers turn to solutions like VPNs and Secure Access Service Edge or SASE to secure remote work. The dramatic increase in demand for these products also comes with increased attention from cybercriminals and security researchers alike.
Whether it is hardware or software, the technologies used today are always going to have flaws and vulnerabilities. Part of the process of security is enumerating those flaws so they can be mitigated or corrected. “It is likely we will see more vulnerabilities in these products going forward, but it is just as likely we will see researchers and vendors coordinating to address them,†the Digital Defense team noted.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!