Zero-day vulnerabilities are generally scary enough that when one is made public, vendors begin scrambling to issue a fix. By nature, zero-day flaws are vulnerabilities that the affected vendor has no knowledge about and thus no patches exist. Alarmingly, not one or two but 10 zero-day flaws have recently been uncovered affecting D-Link routers, which could potentially leave users at risk of cyberattacks.
Pierre Kim, a security researcher, chose to publicly expose the vulnerabilities related to D-Link 850L routers, citing "difficulties" working with the vendor on a coordinated disclosure. According to the researcher, the zero-day flaws, if exploited by hackers, could potentially lead to attackers gaining root access to devices and getting backdoor access. They could also remotely hijack and control routers as well as leave users vulnerable to XSS and command injection attacks and more.
Kim had previously reportedly uncovered vulnerabilities affecting D-Link routers but the firm downplayed the issues. This led to the researcher's decision to publicly disclose the zero-day flaws. "The Dlink 850L is a router overall badly designed with a lot of vulnerabilities. Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused," Kim said in a blog that detailed the flaws. "Their previous lack of consideration about security made me publish this research without coordinated disclosure."
The researcher also advised that users "immediately disconnect vulnerable routers from the internet".
Here's the list of 10 zero-day vulnerabilities that affect both the D-Link 850L revisions A and B.
- Weak firmware protection – The lack of proper protection for firmware images could allow hackers to upload a new malicious firmware to the router. Although firmware for D-Link 850L RevB has a hardcore password protection, firmware for D-Link 850L RevA has no protection whatsoever.
- Cross-site scripting (XSS) flaws – Kim says that D-Link 850L RevA's LAN and WAN are both affected by "several trivial" XSS flaws that could allow hackers to steal authentication cookies.
- Amdin passwords vulnerable – Flaws affecting LAN and WAN of D-Link 850L RevB could allow attackers to obtain admin passwords and use the MyDLink cloud protocol to gain total access to a victim's router.
- Lack of proper cloud protocol – This affects both D-Link 850L RevA and RevB. Kim found that the MyDLink protocol use no encryption to protect communications between the router and users' MyDLink account.
- Backdoor access – The D-Link 850L RevB routers have backdoor access via Alphanetworks, potentially allowing hackers to get a root access.
- Firmware comes encoded with private keys – The researcher also discovered that private encryption keys are hardcoded within the firmware of both D-Link 850L RevA and RevB, which hackers could use to launch MITM (man-in-the-middle) attacks.
- No authentication check – This issue could let hackers alter the DNS settings of affected routers and essentially hijack the device.
- Pre-Authentication RCEs as root – This issue leaves routers vulnerable to command injection attacks, allowing attackers to gain root access on the affected devices.
- Credentials stored in cleartext and weak file permissions – Routers were found to store credentials in clear text and local files in both D-Link 850L RevA and RevB are exposed.
- Denial of Service bugs – This flaw could let hackers to remotely crash daemons.
The US Federal Trade Commission (FTC) recently sued D-Link, alleging that the Taiwan-based firm employed inadequate security measures, which left its products and users vulnerable to hacking.
IBTimes UK has reached out to D-Link. This article will be updated in case there is a response from the company.