Overview
Multiple zero-day vulnerabilities have been discovered on D-Link Routers that could allow an adversary to launch root level command injection attacks remotely and takeover the control of the router.
Description
D-Link router models DSR-150, DSR-250, DSR-500 and DSR1000AC running firmware version 3.14 and 3.17, are reported to contain critical flaws that could be exploited remotely. The zero-day vulnerabilities have been given the CVE identifiers CVE-2020-25757, CVE-2020-25758, CVE-2020-25759.
The first and most critical of these vulnerabilities (CVE-2020-25757) stems from improper input validation in the system command API. Due to the vulnerability, an unauthenticated attacker could access the router’s web interface remotely (accessible over the Internet) and execute arbitrary commands as root, resulting in full control of the router by the attacker.
The second vulnerability (CVE-2020-25758) is caused by insufficient validation of configuration file checksums. Due to the vulnerability, an unauthenticated remote attacker can inject crontab entries into the saved configurations of the router.
And the last vulnerability (CVE-2020-25759) stems from lack of validation of inputs provided in multipart HTTP POST requests. Due to the vulnerability, an authenticated remote attacker could execute arbitrary commands.
Impact
An unauthenticated attacker can conduct root level code injection attacks remotely (over the Internet). After gaining the control, an attacker can intercept or modify network traffic or conduct Denial of Service (DoS) attacks.
Impact Summary CVE-2020-25757
Category: Command Injection
CVSS 3.1 Base Score: 8.8 High
CVSS 3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
An unauthenticated remote attacker can inject arbitrary crontab entries into saved configurations of the router.
Impact Summary CVE-2020-25758
Category: Crontab Injection
CVSS 3.1 Base Score: 8.8 High
CVSS 3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
An authenticated remote attacker can could execute arbitrary commands on the router.
Impact Summary CVE-2020-25759
Category: Crontab Injection
CVSS 3.1 Base Score: 8.8 High
CVSS 3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Solution (Update)
Currently, beta firmware patches and hot-patch mitigations are available for the discovered zero-day command injection vulnerabilities on the D-Link routers. Confirmed patches are expected to be released by mid-December.
The Internet of Things (IoT) devoid of comprehensive security management is tantamount to the Internet of Threats.
Stephane Nappo
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- D-Link Official Support Page
- https://nvd.nist.gov (CVE-2020-25757)
- https://nvd.nist.gov (CVE-2020-25758)
- https://nvd.nist.gov (CVE-2020-25759)
You can also read our article How to Secure Your Home WiFi Router in 15 Simple Steps? to learn more about WiFi router security.
