fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

D-Link leaves severe security bugs in home router unpatched

D-Link leaves severe security bugs in home router unpatched

D-Link has released a firmware update to fix three out of six security vulnerabilities reported for the DIR-865L wireless router model for consumers. One flaw is rated critical, others are high-severity.

Attackers can use the bugs to execute arbitrary commands, steal sensitive information, upload malware, or delete data.

EoL in the U.S., EoS in Europe

D-Link’s DIR-865L was released in 2012 and is no longer supported for U.S. consumers but its status on localized pages for European countries is End of Sale. This means that the product can no longer be purchased but it is still supported by the vendor.

High-severity bugs

Vulnerability researchers at Palo Alto Networks’ Unit 42 in late February found half a dozen security vulnerabilities in D-Link DIR-865L and reported them to the maker.

The researchers assess that the flaws may also affect newer models because they share a common code base. They found the following issues, with severity scores from the National Vulnerability Database (NVD):

  1. CVE-2020-13782: Improper Neutralization of Special Elements Used in a Command (Command Injection) – critical-severity score 9.8, not fixed
  2. CVE-2020-13786: Cross-Site Request Forgery (CSRF) – high-severity score 8.8, fixed
  3. CVE-2020-13785: Inadequate Encryption Strength – high-severity score 7.5, fixed
  4. CVE-2020-13784: Predictable seed in pseudo-random number generator – high-severity score 7.5 not fixed
  5. CVE-2020-13783: Cleartext storage of sensitive information – high-severity score 7.5, fixed
  6. CVE-2020-13787: Cleartext transmission of sensitive information – high-severity score 7.5, not fixed

It is worth noting that the command injection vulnerability received a critical severity score from NVD, while Unit 42 researchers note in their report that exploiting it requires authentication; while this can be achieved via the CSRF (cross-site request forgery) flaw, it would fit a lower severity rating.

Gregory Basior, one of the Unit 42 researchers that found and reported the vulnerabilities, says that combining some of these vulnerabilities could allow malicious actors to sniff network traffic and steal session cookies.

“With this information, they can access the administrative portal for file sharing, giving them the ability to upload arbitrary malicious files, download sensitive files, or delete essential files. They can also use the cookie to run arbitrary commands to conduct a denial of service attack” – Gregory Basior

Partial fixes

D-Link reacted by releasing a beta firmware release that fixes only three of the flaws, which would enable an attacker outside the local network to cause damage: CSRF, weak encryption, and storing sensitive info in plain text.

BleepingComputer has reached out to D-Link asking for clarification on the partial fixes delivered in the router but has not received an answer at publishing time.

The company highlights that the product reached end-of-life for U.S. consumers in early 2016 and recommend them to replace it with a newer model that is still supported. Check the list of legacy D-Link products.

“For US consumers, D-Link recommends this product be retired, and any further use may be a risk to devices connected to it and end-users connected to it” – D-Link

Despite having an important role in connecting home devices, routers are rarely replaced when their support period expires. For many users, they are a “set it and forget it” type of hardware, that is replaced only when it becomes technologically obsolete or no longer functions properly.

Installing security router updates is not a priority for the regular end-user, especially in lack of an alert system for new firmware versions or an update procedure that would be easy to handle.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us