Mass vulnerabilities exposed in enterprise D-Link devices, home routers

Collectively, security researchers have exposed over 100 vulnerabilities in home routers and business products.
Written by Charlie Osborne, Contributing Writer

Over the past week, security researchers revealed a vast list of security vulnerabilities present in products used by businesses and homes worldwide.

Posted on Full Disclosure, security professionals and students from Search Labs and the Universidad Europea de Madrid exposed a number of security vulnerabilities in D-Link devices used within the enterprise, as well as and SOHO routers commonly found in households.

The release follows the exposure of a NetUSB flaw, revealed in May, which leaves potentially millions of routers and Internet of Things (IoT) devices used in households vulnerable to hijacking. As more security problems are discovered in such devices and revealed in the public domain, the need for vendors to invest more in home product security -- and the need for the general public to change default settings -- is highlighted.

In addition, the enterprise is placed at risk if they use devices with out-of-date firmware which contains vulnerabilities, and such weaknesses in the chain can place an entire corporate network at risk by acting as a conduit for cyberattacks.

Search Lab, based in Budapest, Hungary, performed an independent assessment on four different D-Link devices. In total, 53 unique vulnerabilities were identified in the latest firmware used in these devices, which was last updated in 2014.

According to the team, the affected devices include the D-Link DNS-320 ShareCenter 2-Bay Network Storage Enclosure, the DNS-320L cloud enclosure, the D-Link DNS-327L ShareCenter and DNR-326 2-Bay Professional Network Video Recorder (NVR), among others.

Several vulnerabilities allow remote attackers to execute arbitrary code. According to the team, the firmware's security holes allow for attackers to take full control over a device, and "half-baked security workarounds" within the firmware -- included to fix previous vulnerabilities -- contain problems of their own; leading to "even more serious problems."

"Even though there were several security patches and workarounds in the session management part of the code, where we still found serious problems. It was still possible to perform unauthenticated file upload to an arbitrarily chosen location, which also lead to the possibility for an attacker to take full control over the device," the team says.

In addition, default users can be used during authentication processes -- such as the root account -- and admins cannot change the default passwords of these accounts from user interfaces. Other vulnerabilities also uncovered include bypass flaws, unauthenticated photo publishing, information leaks, unauthenticated access issues and arbitrary file overwriting.

For the full list of CVE-numbered vulnerabilities, view the full report (.PDF).

The researchers and D-Link have been in contact since July last year. A number discussions have taken place, and in May D-Link requested additional time to fix a number of the vulnerabilities. As a result, Search Lab has only revealed the existence of fixed and reviewed problems in this round.

"Besides installing the patches, where available, we highly recommend not to expose the web interface of the DNS and DNR devices to the internet. Since the devices use the UPnP feature, you should disable it in the router," the team says.

In addition to the exposure of D-Link product flaws, Jose Antonio Rodriguez Garcia, on behalf of a team of Masters security students at the Universidad Europea de Madrid, revealed the existence of multiple vulnerabilities in home routers.

Posted on Full Disclosure, the analysis discovered over 60 vulnerabilities in routers which perform in small office and home (SOHO) mode -- a type of local area network (LAN) setting which can include both wired and wireless computers.

Products from companies including Observa, Comtrend, D-Link, Huawei and Netgear are reportedly vulnerable and contain security issues.

In total, 22 products were analyzed by the team, revealing a number of flaws including persistent and unauthenticated cross site scripting (XSS) vulnerabilities, cross site request forgery (CSRF), information leaks, privilege escalation and Universal Plug and Play related vulnerabilities.

For example, an Observa router contains an XSS flaw in the configuration system which could allow for attackers to execute malicious code, privilege escalation is made possible by reading the public router configuration file (config.xml), and external Denial of Service (DoS) attacks are possible through malicious links.

In addition, a Netgear model contains multiple cross site request forgery (CSRF) vulnerabilities, and some Huawei routers are susceptible to USB Device Bypass Authentication attacks and XSS flaws.

All routers were physically tested and each vendor has been informed of the security problems.

ZDNet has reached out to companies involved and will update if we hear back.

Read on: In the world of security

Editorial standards