Multiple vulnerabilities in D-Link DIR-620 routers

1) Privilege escalation (backdoor)

EUVDB-ID: #VU13007

Risk: High

CVSSv3.1: 9.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2018-6213

CWE-ID: CWE-798 - Use of Hard-coded Credentials

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The weakness exist due use of hardcoded default credentials for web dashboard. A remote attacker can use a backdoor account to gain privileged access to the firmware, extract sensitive data, e.g., configuration files with plain-text passwords, run arbitrary JavaScript code in the user environment and run arbitrary commands in the router’s operating system (OS).

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

To mitigate the issues Kaspersky recommends:

• Restrict any access to the web dashboard using a whitelist of trusted IPs
• Restrict any access to Telnet
• Regularly change your router admin username and password.

Vulnerable software versions

DIR-620: 1.0.37

External links

http://securelist.com/backdoors-in-d-links-backyard/85530/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Reflected cross-site scripting

EUVDB-ID: #VU13008

Risk: Low

CVSSv3.1: 5.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2018-6212

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform reflected cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

To mitigate the issues Kaspersky recommends:

• Restrict any access to the web dashboard using a whitelist of trusted IPs
• Restrict any access to Telnet
• Regularly change your router admin username and password.

Vulnerable software versions

DIR-620: 1.3.3

External links

http://securelist.com/backdoors-in-d-links-backyard/85530/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) OS command injection

EUVDB-ID: #VU13009

Risk: High

CVSSv3.1: 9.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2018-6211

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute shell commands on the target system.

The weakness exists due to incorrect processing of the user’s input data in the certain parameter. A remote attacker can inject and execute arbitrary shell commands with root privileges.

Mitigation

To mitigate the issues Kaspersky recommends:

• Restrict any access to the web dashboard using a whitelist of trusted IPs
• Restrict any access to Telnet
• Regularly change your router admin username and password.

Vulnerable software versions

DIR-620: 1.0.3

External links

http://securelist.com/backdoors-in-d-links-backyard/85530/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use of hard-coded credentials

EUVDB-ID: #VU13010

Risk: Low

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2018-6210

CWE-ID: CWE-798 - Use of Hard-coded Credentials

Exploit availability: No

Description

The vulnerability allows a remote attacker to extract Telnet credentials.

The vulnerability exists due to use of hard-coded credentials. A remote attacker can extract Telnet credentials, use the default credentials for Telnet and get administrative access to a router (the fragment of “etc/passwd”).

Mitigation

To mitigate the issues Kaspersky recommends:

• Restrict any access to the web dashboard using a whitelist of trusted IPs
• Restrict any access to Telnet
• Regularly change your router admin username and password.

Vulnerable software versions

DIR-620: 1.0.3 - 1.4.0

External links

http://securelist.com/backdoors-in-d-links-backyard/85530/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.