Multiple security flaws let hackers infiltrate D-Link routers

the best VPN routers
(Image credit: Shutterstock)

Five major vulnerabilities have been discovered affecting D-Link routers by cybersecurity researchers working as part of Trustwave’s SpiderLabs team. 

The bugs could enable attackers on the same Wi-Fi network to gain user credentials and remotely execute code on the victim’s router.

The findings represent further bad news for D-Link, after the firm had to hastily patch a vulnerability found in its VPN routers. That disclosure, which was carried out by threat management firm Digital Defense only came to light earlier this month.

“On the 30th of October, D-Link published a support announcement and released new firmware to patch five vulnerabilities that I identified on the DSL-2888A router as a part of the security research I do for Trustwave SpiderLabs,” Harold Zang, Technical Specialist at Trustwave SpiderLabs, explained

“These security vulnerabilities could allow a malicious Wi-Fi or local network user to gain unauthorized access to the router web interface, obtain the router password hash, gain plaintext credentials, and execute system commands on the router.”

The famous five

The first security flaw found by Zang involved insufficient authentication of the router’s admin page, which meant that any individual could browse an authenticated page without requiring the correct password. The second allowed a malicious user to obtain the internet provider connection and wireless router login usernames and passwords in plaintext.

Finding three involved an FTP misconfiguration that allowed an attacker to access the router file system, while the fourth bug enabled authenticated users to execute Linux commands that could allow them to monitor network traffic. The fifth vulnerability was another that involved insufficient authentication.

As Zang states, D-Link has now patched the five vulnerabilities, but the company will be eager to show that it is capable of building routers that do not suffer from such serious flaws in the first place.

Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.