A vulnerability in D-link firmware powering multiple routers with VPN passthrough functionality allows attackers to take full control of the device.
The bug affects router models DSR-150, DSR-250/N, DSR-500, and DSR-1000AC running firmware version 3.17 or below.
Reported by Digital Defense’s Vulnerability Research Team on August 11, the flaw is a root command injection that can be exploited remotely if the device’s “Unified Services Router” web interface is reachable over the public internet.
“Consequently, a remote, unauthenticated attacker with access to the router’s web interface could execute arbitrary commands as root, effectively gaining complete control of the router”
– Digital Defense
Hackers could use their access to intercept traffic, modify it, or target other connected devices in the house.
Also Read: Limiting Location Data Exposure: 8 Best Practices
D-Link has acknowledged the issue and published some details in an advisory earlier this month, saying that some LUA CGI are accessible without authentication and could be used to execute a LUA library function to pass user-supplied data.
The router manufacturer explains that an attacker can slip malicious data into a command designed to calculate a hash that is processed by the “os.popen()” function.
Following Digital Defense’s report, which referred only to DSR-250 router model, D-Link assessed that the vulnerable firmware version was powering the other models ( DSR-250/N, DSR-500, and DSR-1000AC).
For the impacted router models, D-Link has released a hotfix, the latest firmware version mitigating the problem being 3.17B401C.
Apart from this vulnerability, Digital Defense reported two others, none as severe. One of them is also a root command injection exploitable over an exposed “Unified Services Router” web interface but it requires authentication.
The third one is an authenticated crontab injection that allows scheduling the execution of arbitrary commands with root privileges.
D-Link did not acknowledge this bug, classifying it as low-threat after applying the patch for the other two issues. The company explains:
“For this generation of product, the device uses a plain text config, which is the design to directly edit and upload the config to the same DSR devices accordingly. If D-Link mitigates issue #1 and #2, as well as other, recently reported issues, the malicious user would need to engineer a way of gaining access to the device to upload a configuration file, so we understand the report but classify the report as low-threat once the patched firmware is available”
Also Read: 10 Practical Benefits of Managed IT Services
The table below lists vulnerable router models and links to the updated firmware version containing the fix:
| Model | Hardware Revision | Region | Affected FW | Fixed FW | Recommendation | Last Updated | |
| DSR-150 | All Rev. A Hardware Revision | Worldwide | v3.17 & Below | v3.17B401C_WW | Download and Update Device | 12/02/2020 | |
| DSR-150 | All Rev. A Hardware Revision | Russian | v3.17 & Below | v3.17B401C_RU | Download and Update Device | 12/02/2020 | |
| DSR-150 | All Rev. C Hardware Revision | Worldwide | v3.17 & Below | v3.17B401C_WW | Download and Update Device | 12/02/2020 | |
| DSR-150 | All Rev. C Hardware Revision | Russian | v3.17 & Below | v3.17B401C_RU | Download and Update Device | 12/02/2020 | |
| DSR-150N | All Rev. A Hardware Revision | Worldwide | v3.17 & Below | v3.17B401C_WW | Download and Update Device | 12/02/2020 | |
| DSR-150N | All Rev. A Hardware Revision | Russian | v3.17 & Below | v3.17B401C_RU | Download and Update Device | 12/02/2020 | |
| DSR-150N | All Rev. C Hardware Revision | Worldwide | v3.17 & Below | v3.17B401C_WW | Download and Update Device | 12/02/2020 | |
| DSR-150N | All Rev. C Hardware Revision | Russian | v3.17 & Below | v3.17B401C _RU | Download and Update Device | 12/02/2020 | |
| DSR-250 | All Rev. A Hardware Revisions | Worldwide | v3.17 & Below | v3.17B401C_WW | Download and Update Device | 12/02/2020 | |
| DSR-250 | All Rev. A Hardware Revisions | Russian | v3.17 & Below | v3.17B401C_RU | Download and Update Device | 12/02/2020 | |
| DSR-250 | All Rev. C Hardware Revision | Worldwide | v3.17 & Below | v3.17B401C_WW | Download and Update Device | 12/02/2020 | |
| DSR-250 | All Rev. C Hardware Revision | Russian | v3.17 & Below | v3.17B401C_RU | Download and Update Device | 12/02/2020 | |
| DSR-250N | All Rev. A Hardware Revisions | Worldwide | v3.17 & Below | v3.17B401C_WW | Download and Update Device | 12/02/2020 | |
| DSR-250N | All Rev. A Hardware Revisions | Russian | v3.17 & Below | v3.17B401C_RU | Download and Update Device | 12/02/2020 | |
| DSR-250N | All Rev. B Hardware Revision | Worldwide | v3.17 & Below | v3.17B401C_WW | Download and Update Device | 12/02/2020 | |
| DSR-250N | All Rev. B Hardware Revision | Russian | v3.17 & Below | v3.17B401C _RU | Download and Update Device | 12/02/2020 | |
| DSR-250N | All Rev. C Hardware Revision | Worldwide | v3.17 & Below | v3.17B401C_WW | Download and Update Device | 12/02/2020 | |
| DSR-250N | All Rev. C Hardware Revision | Russian | v3.17 & Below | v3.17B401C_RU | Download and Update Device | 12/02/2020 |
Established in 2018, Privacy Ninja is a Singapore-based IT security company specialising in data protection and cybersecurity solutions for businesses. We offer services like vulnerability assessments, penetration testing, and outsourced Data Protection Officer support, helping organisations comply with regulations and safeguard their data.
Singapore
7 Temasek Boulevard,
#12-07, Suntec Tower One,
Singapore 038987
