WARNING — Critical Remote Hacking Flaws Affect D-Link VPN Routers
Some widely sold D-Link VPN router models have been found vulnerable to three new high-risk security vulnerabilities, leaving millions of home and business networks open to cyberattacks—even if they are secured with a strong password.
Three security shortcomings were responsibly disclosed to D-Link on August 11, which, if exploited, could allow remote attackers to execute arbitrary commands on vulnerable networking devices via specially-crafted requests and even launch denial-of-service attacks.#
D-Link DSR-150, DSR-250, DSR-500, and DSR-1000AC and other VPN router models in the DSR Family running firmware version 3.14 and 3.17 are vulnerable to the remotely exploitable root command injection flaw.
The issues in an advisory on December 1, adding that the patches were under development for two of three flaws, which have now been released to the public at the time of writing.
From both WAN and LAN interfaces, this vulnerability could be exploited over the Internet.
"Consequently, a remote, unauthenticated attacker with access to the router's web interface could execute arbitrary commands as root, effectively gaining complete control of the router."
The flaws stem from the fact that the vulnerable component, the "Lua CGI," is accessible without authentication and lacks server-side filtering, thus making it possible for an attacker — authenticated or otherwise — to inject malicious commands that will be executed with root privileges.
A separate vulnerability reported by Digital Defense concerns the modification of the router configuration file to inject rogue CRON entries and execute arbitrary commands as the root user.
However, D-Link said it will not correct this flaw "on this generation of products," stating this is the intended function.
"The device uses a plain text config, which is the design to directly edit and upload the config to the same DSR devices accordingly,"
"If D-Link mitigates issue #1 and #2, as well as other, recently reported issues, the malicious user would need to engineer a way of gaining access to the device to upload a configuration file, so we understand the report but classify the report as low-threat once the patched firmware is available."
With the unprecedented rise in work from home as a result of the COVID-19 pandemic, more employees may be connecting to corporate networks using one of the affected devices.
As organizations have scrambled to adapt to remote work and offer secure remote access to enterprise systems, the change has created new attack surfaces, with flaws in VPNs becoming popular targets for attackers to gain entry into internal corporate networks.
It's recommended that businesses using the affected products apply the relevant updates as and when they are available.