A previously undisclosed vulnerability has been discovered in VPN routers from D-Link that could allow an attacker to take full control over the affected devices.
The Vulnerability Research Team (VRT) at the threat management firm Digital Defense discovered a root command injection flaw in D-Link's DSR-150, DSR-250, DSR-250, DSR-500 and DSR-1000AC VPN routers.
Devices running firmware version 3.14 and 3.17 are vulnerable to potential attacks and this is made worse by the fact that D-Link's VPN routers are commonly available on many popular ecommerce sites such as Amazon Best Buy, Office Depot and Walmart.
- We've rounded up the best business VPN services available
- Protect your network with the best endpoint protection software
- We've also highlighted the best small business routers on the market
As more employees are working from home during the pandemic, some might be connecting to corporate networks using one of the affected devices which could put organizations at risk as well.
Command injection flaw
The vulnerable component of D-Link's VPN routers is accessible without authentication from both WAN and LAN interfaces and the flaw could even be exploited over the internet.
Additionally, a remote, unauthenticated attacker with access to the router's web interface could execute arbitrary commands as root which would effectively give them complete control of the router. With this access, an attacker could intercept or modify traffic, cause denial of service conditions and launch further attacks on other assets as D-Link routers can simultaneously connect to up to 15 devices.
SVP of engineering at Digital Defense Mike cotton explained how the firm responsibly disclosed the vulnerability to D-Link in a press release, saying:
“Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability. The Digital Defense VRT reached out to D-Link who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.”
D-Link has now patched the flaw and released updated firmware for all of the affected routers. Users can check out the company's advisory on the issue for more information and it is highly recommended that they download and install the updated firmware for their device.
- Also check out our complete list of the best VPN services
