14 DAY TRIAL // D-Link has released firmware updates for its DIR-820L router in the wake of a report from an independent security researcher who found multiple security flaws in the device, one of them allowing a remote attacker complete takeover.
Peter Adkins found the vulnerabilities and relayed his findings to the manufacturer on January 11, but the company failed to reply to requests regarding mitigation of the problems or to come up with a patch, so the researcher made his discoveries public on February 26.
CSRF attack could fully compromise the device
On Monday, D-Link released a security advisory informing that an investigation was conducted and other routers (DIR-626L/DIR-636L/DIR-808L/DIR-810L/DIR-826L/DIR-830L/DIR-836) were found to be vulnerable as well.
A new firmware is currently available for DIR-820L, while updates for the rest of the devices are estimated to roll out by March 10.
The most dangerous flaw uncovered by Adkins refers to gaining root access to the router through a CSRF (cross-site request forgery) attack by tricking the victim into visiting a malicious web page.
This would allow unauthorized access to the DNS (domain name system) configuration, which is designed to direct the device to a legitimate server that is in charge of converting domain names into IP addresses so that the correct website is loaded in the web browser.
A demonstration of the flaw has been captured by the researcher in a video (available below), where the router is instructed to carry out different actions, including granting unauthorized root access to a third party.
Disabling remote access to the router mitigates issue
The pre-requisite for successful exploitation of the glitches discovered by the researcher is for the router to have the remote network management enabled. The default setting for this option in the affected routers is “off.”
D-Link recommends applying the updates as soon as they become available. Until then, however, mitigation action can be taken by disabling WAN management on the device.
If remote access to the router is required, Adkins proposes the use of the µBlock extension available for Google Chrome, Mozilla Firefox and Safari to blocklist requests to the router. Keep in mind that this is not a foolproof solution though.
Video demonstrating the CSRF vulnerability:
