RBS Research Discovers Multiple Pre-authentication Vulnerabilities in D-Link Device
January 27, 2021 • RBS
“I have a bad feeling about this.”Han Solo
Sometimes, it’s the little things that draw attention. The subtle hints that you don’t spot immediately. Inconsistencies that make you restless until you find yourself pointing a finger at it saying “w00t?”
Maybe the product just hadn’t had any firmware updates since 2017, because it was as good and secure as marketed. Could be but that seems a bit of a long shot. Three years is a long time and a lot of vulnerabilities in various 3rd party components likely used in the device. Another more likely reason is simply that no one looked for vulnerabilities in this product. So we did…
“You know better than to trust a strange computer.”C3PO
What we discovered wasn’t pretty and suggested a very low code maturity. It was pre-authentication remote code execution galore. We identified seven vulnerabilities in the web-based management interface that can be exploited without authentication. Six of these are basic buffer overflows (four stack-based and two heap-based). We also found a flaw in the session ID generation that allows a remote attacker to predict the session ID of a logged-in administrator and gain unauthorized access to the device.
Our detailed write-up of the discovered vulnerabilities can be found here.
“Try not. Do, or do not. There is no try.”Master Yoda
After reporting the vulnerabilities to D-Link, a disclosure date of 2021/01/18 was agreed upon. However, D-Link already published a support announcement on 2021/01/15. This announcement lists all the vulnerabilities discovered by us along with a few from another party. Surprisingly, the provided firmware update did not address any of the vulnerabilities reported by us. Instead, D-Link states that a fix for those is currently under validation and scheduled for the end of January 2021. At the time of writing, the fix is still not available.
As a result, anyone using this access point is now left in the unfortunate situation that while details of the vulnerabilities are publicly available, there is no fix. This means that in an environment, where untrusted people may have access to the web-based management interface, they can fully compromise the device.
The released firmware update that did address two vulnerabilities reported by another party doesn’t leave D-Link customers in a much better position. It’s not a stable release but a release candidate. These should generally not be installed on production systems, so customers are left with a lose-lose decision: install a release candidate that may introduce bugs that make the device unstable or don’t install it and run the risk of the device being compromised.
For now, we recommend users of these devices to ensure that they are only accessible on trusted networks. Applying the current release candidate doesn’t add much value, as it only addresses two out of ten reported vulnerabilities. Once the updated fix is out for all the reported vulnerabilities, we recommend promptly applying that. Hopefully, it’s not another release candidate…