A critical unauthenticated command injection vulnerability has been found in D-Link routers that allows an attacker to take over the device and execute code.
On September 22, Fortinet’s FortGuard Labs identified and reported an authenticated command injection vulnerability- FG-VD-19-117/CVE-2019-16920 in D-Link products that could lead to Remote Code Execution (RCE).
As the affected products are at End of Life (EOL) support, the vendor will not provide for fixes for the issues discovered.
According to Fortinet, the vulnerability impacts D-Link firmware in the DIR-655, DIR-8667, DIR-652 and DHP-1565 router families which are Wi-Fi routers for the home market.
Earlier in September, researchers discovered a vulnerability that can leak passwords and affect every user on networks that use them for access.
In May, researchers discovered attackers using the Google Cloud platform to carry out three separate waves of DNS hijacking attacks against vulnerable D-Link and other customers.
“The vulnerability begins with a bad authentication check. To see the problem in action, we start at the admin page and then perform login action. We implement the PST HTTP Request to ‘apply_sec.cgi’ with the action ping_test. We then perform the command injection in ping_ippadr. Even if it returns the login page, the action ping_test is still performed-the value of ping_ipadd will execute the‘ echo 1234’ command in the router server and then send the result back to our server” said the security advisory.
Due to bad authentication, it is possible to execute code remotely even without necessary privileges.
According to Fortinet, the root cause of the vulnerability is lack of sanity check for arbitrary commands that are executed by native command-execution function, which is typical security pitfalls suffered by many firmware manufacturers.
Confirmation by vendor
The vendor confirmed the vulnerability within 24 hours and the bad news is that three days later vendor said it will not provide fixes for issues discovered as the products are at the End of Life (EOL) and no longer sold by the vendor but the models are still available with the third-party sellers.
As there will be no patch available the only available measure for affected users is to upgrade their devices as soon as possible.
You may be interested in reading: EX – YAHOO EMPLOYEE SNEAKS INTO 6000 ACCOUNTS FOR SEXUAL CONTENT