The IT Nerd

So let me start with the exploit behind the title in this story. D-Link has released a security advisory which is tied to CVE-2024-0769 that goes like this:

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-859 1.06B01. It has been rated as critical. Affected by this issue is some unknown functionality of the file /hedwig.cgi of the component HTTP POST Request Handler. The manipulation of the argument service with the input ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-251666 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

 So let’s unpack this. In English, what this is saying is that an attack that can be launched remotely exists that allows attackers to leak session data, achieve privilege escalation, and gain full control via the admin panel. In short, they can take over the router. And presumably use that access to launch secondary attacks. Like theft of data for example via reconfiguring the router to let them have full access to your network. On top of that you’ll note this part:

NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

So this isn’t going to get fixed. Which means that if you have one of these routers, your best course of action is to throw it in the trash (or responsibly recycle it) and get something else. I say that because the word on the street is that threat actors are actively using this exploit to pwn people. Thus you don’t want to be the person on the other end of that.

If you own a D-Link Router, you might want to pay attention to this ZDNet story.

For the past three months, a cybercrime group has been hacking into home routers — mostly D-Link models — to change DNS server settings and hijack traffic meant for legitimate sites and redirect it to malicious clones. The attackers operate by using well-known exploits in router firmware to hack into vulnerable devices and make silent changes to the router’s DNS configuration, changes that most users won’t ever notice. Targeted routers include the following models (the number to the side of each model lists the number of internet-exposed routers, as seen by the BinaryEdge search engine): D-Link DSL-2640B – 14,327; D-Link DSL-2740R – 379; D-Link DSL-2780B – 0; D-Link DSL-526B – 7; ARG-W4 ADSL routers – 0; DSLink 260E routers – 7; Secutech routers – 17; and TOTOLINK routers – 2,265.

1. User’s computer or smartphone receives wrong DNS server settings from the hacked router.
2. User tries to access legitimate site.
3. User’s device makes a DNS request to the malicious DNS server.
4. Rogue server returns an incorrect IP address for the legitimate site.
5. User lands on a clone of the legitimate site, where he might be required to log in and share his password with the attackers.

Affected D-Link routers include the following:

• D-Link DSL-2640B
• D-Link DSL-2740R
• D-Link DSL-2780B
• D-Link DSL-526B
• ARG-W4 ADSL routers
• DSLink 260E routers
• Secutech routers
• TOTOLINK routers

The article also has this advice if your D-Link router is on that list:

As for the attacks detected by Bad Packets, owners of the above listed devices are advised to check their routers’ DNS settings and compare the DNS IP addresses with the ones provided by their internet service provider. A phone call to the ISP’s call center may be needed to get the IP addresses of the ISP’s normal DNS servers.

However, if you see any of the following four IP addresses, then your router’s DNS settings have already been compromised by this campaign, and users need to upgrade their router’s firmware as soon as possible.

66.70.173.48
144.217.191.145
195.128.126.165
195.128.124.131

So, if you own a D-Link router, check to see if its on the list ASAP. If it is, you need to take action quickly to protect yourself.

A security researcher has named and shamed D-Link via Twitter:

Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol https://t.co/eGlZU3YsRy #0day #RCE #IoT #Cloud

— Pierre (피에르) (@PierreKimSec) September 7, 2017

In short, this researcher has discovered 10 flaws that could allow a hacker to pwn everything “from the Lan to the Wan” to quote his writeup.

Here’s where I have a bit of a problem with this. Apparently he went public without disclosing the issue to D‑Link beforehand. That’s a bit of a #fail in my mind because you should give the company a chance to fix the issue and only go public if they haven’t done so in 90 days. Apparently he went this route because of a previous negative experience with the firm. Also of note, he disclosed nine other vulnerabilities to D‑Link related to the DWR-932B back in February, but only one of them resulted in a patch from D-Link.

Having said that, it doesn’t change the fact that from my reading of his research that this router is extremely pwnable. His advice is to disconnect the router from the Internet and I can’t disagree with him. Hopefully being named and shamed will encourage D-Link to remedy this and quickly.

If you have a D-Link DIR-850L router, you should pay attention to this CERT notification. Apparently there’s a flaw in the firmware of this router that allows a remote attacker to run commands on the router. Effectively pwning the device. Now this becomes a really big deal is remote administration is enabled as anyone on the Internet can pwn the router. At present, D-Link has released beta firmware that apparently addresses this issue. However, I would take note of what CERT had to say about that:

The vendor has publicly disclosed the issue along with beta firmware releases (versions 1.14B07 h2ab BETA1 and 2.07B05 h1ke BETA1, depending on the device’s hardware revision), which are available from the product information page, but it is unclear whether the beta releases should be considered a proper solution.  

I don’t consider beta anything to be a proper solution. Thus if you have one of these routers, the best that you can do is disable remote administration if you enabled it for whatever reason and wait for D-Link to come out with a proper solution to this.

Owners of D-Link hardware, specifically wireless routers and Internet cameras may want to pay attention to this story. The FTC in the United States Of America is taking D-Link to court because that gear is according to them REALLY insecure:

The FTC, in a complaint filed in the Northern District of California charged that “D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.”

Specifically, D-Link is being accused of using “Hard-coded” login credentials, having “command injection” flaws in their products that allow remote pwnage of their products, not handling private keys codes properly, and finally leaving user credentials in plain text in their apps.

None of this is trivial stuff.

Here’s D-Link’s response to all of this:

For its part, D-Link Systems said it “is aware of the complaint filed by the FTC. D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. The security of our products and protection of our customers private data is always our top priority.”  [Update: A full response fromD-Link can be found here]

Here’s the thing. If the FTC goes after a company, they usually have the evidence to back up whatever claim they are making. After all, in November, DHS put out a warning about some of their routers. They did fix them, but that took them over a month to get done. I can think of other examples, but I won’t bore you with the details. In any case, D-Link may want to figure out how to mitigate the bad press that this news will create and the severe slap that the FTC is likely to hand out when they win in court. Likely by settling out of court and addressing these issues.

I should note that the FTC has also gone after ASUS and TRENDnet for similar issues. Thus if you make IoT gear, you should make sure that your security is on point. Otherwise the feds will be at your door step.

D-Link yesterday announced the launch of its new line of high-performance home networking devices starting with the Wireless AC3200 Tri-Band Gigabit Router (DIR-890L). Packed with advanced features, this router was designed to keep both the latest and legacy Wi-Fi devices running at peak performance. It combines Tri-Band with SmartConnect technology to distribute Wi-Fi traffic over three Wi-Fi radios giving you improved performance and reliability. SmartConnect technology automatically assigns each device on your network to the Wi-Fi radio where it can connect at its best possible speed. This ensures that older wireless devices do not degrade the overall performance of your network allowing faster devices to hit their top speed.

Key features include:

• Ultra fast wireless transfer rates of up to 600Mbps (2.4GHz) + 1300Mbps (5GHz) + 1300Mbps (5GHz) for all of your web browsing,
  4K HD media streaming and gaming needs.
• Tri-Band Technology with SmartConnect – Distributes traffic over 3 Wi-Fi radios for optimized network performance and reliability.
• SmartConnect technology automatically assigns each device on your network to the Wi-Fi band where it can connect at its maximum possible speed. This ensures that older wireless devices do not degrade the overall performance of your network allowing faster devices to hit their top speed.
•  Dual Core Processor gives you increased performance to support more devices and provide faster throughput.
• Powerful amplifier, 6 high-gain antennas and Advanced AC SmartBeam technology combine for enhanced Wi-Fi speed and coverage inside and around the largest of homes.
• Enhanced quality of service (QoS), ultra fast connectivity and DLNA support combine to provide a buffer-free 4K HD video streaming experience.
• Dual core processor, Gigabit ports, and advanced QoS combine to deliver lag free gaming.
• Advanced QoS prioritizes the most important data so you get lag-free gaming and uninterrupted streaming on multiple devices.
• Designed to get maximum performance from the growing number of connected devices in the home.
• Gigabit Ports provide all of your wired devices with blazing fast 10/100/1000 Mbps connections.
• Dual USB Ports (USB3.0 & USB2.0) let you locally and remotely stream content from up to two connected USB drives using the free mydlink SharePort app.
• Advanced wireless security with WPA2 and enhanced network security with dual active NAT and SPI firewalls.
• Wi-Fi Protected Setup – Push button for easy connection to a wireless network.
• Free mydlink Lite mobile app for monitoring and controlling your network.
• Brand New GUI – New intuitive user interface for simple management of a wireless network; optimized for mobile devices with touch enabled controls and designed to give users quick access to the status and management of their router and connected devices.Backward compatible and optimized to get the best performance out of both legacy and newer Wi-Fi devices.

The AC3200 Tri-Band Gigabit Router (DIR-890L) has an MSRP of $299.99 and is available now at Staples and other major retail outlets in Canada. Detailed specifications and information are available online at http://ca.dlink.com/products/connect/wireless-ac3200-tri-band-gigabit-router/.

D-Link Canada Yesterday announced the availability of two Wi-Fi Smart Plugs (DSP-W110 and DSP-W215), and the Wi-Fi Motion Sensor (DCH-S150) giving you an easy way to make your home a connected home. Providing a simple way to turn devices on and off from anywhere using the free mydlink Home app for iOS and Android smartphones or tablets.

Wi-Fi Smart Plug (DSP-W110) delivers a range of easy-to-use features, including:

• Power Scheduling – easily create on/off schedules for home appliances, lights and other electronic devices powered through the Wi-Fi Smart Plug.
• Local and Remote control – use the free and intuitive mydlink Home mobile app to instantly turn devices on or off from an iOS or Android smartphone or tablet.
• Wi-Fi Connectivity – requires no additional hub or device, works with any Wi-Fi network.
• Simple Setup – Wi-Fi Protected Setup (WPS) button offers quick and easy setup to connect to any router supporting the WPS standard.

The DSP-W215 does everything the DSP-W11o does, but adds the ability to monitor energy use of connected devices.

The mydlink Wi-Fi Motion Sensor (DCH-S150) delivers a range of easy-to-use features, including:

• Motion Alerts – use the free mydlink Home app to receive alerts on your iOS or Android device when motion is detected.
• Wi-Fi Connectivity – requires no additional hub or device, works with any Wi-Fi network.
• Motion detection up to 8 meters (26 feet).
• Simple Setup – Wi-Fi Protected Setup (WPS) button offers quick and easy setup to connect to any router supporting the WPS standard.
• Get More Out of Your Other Connected Home Devices – connect with mydlink smart plugs to turn on/off devices when motion is detected or use with mydlink cameras and be alerted to motion and know when to view your cameras.

D-Link’s Wi-Fi Smart Plug (DSP-W110) available for $39.99, the Wi-Fi Smart Plug+ w/ Energy Management (DSP-W215) available for $49.99, and the Wi-Fi Motion Sensor (DCH-S150) available for $44.99, can be purchased throughout D-Link’s vast network of retail outlets in Canada

If you’re looking for some 802.11 AC love, the D-Link Wireless AC1900 Dual Band Gigabit Router (DIR-880L) is shipping as of now to provide it. Delivering extremely fast Wireless AC speeds, this top-of-the-line router creates a high-performance wireless network that can handle high-bandwidth activities, like HD streaming and lag-free gaming, even in the farthest corners of the house and into your backyard. To eliminate Wi-Fi interference for faster and more reliable Internet, the Wireless AC1900 Dual Band Gigabit Router (DIR-880L) also features dual-band technology as well as band steering, enabling users to automatically perform simple Internet activities on the 2.4GHz band, and more demanding activities on the cleaner, interference-free 5GHz band. The router also features a brand new user interface built for mobile devices that offers the simplest router interface available on the market.

• Wireless AC1900 Dual Band Connectivity – Speeds of up to 1300 Mbps on the 5GHz band and 600Mbps on the 2.4GHz band for maximum throughput with less Wi-Fi interference
• Advanced AC SmartBeam technology tracks your connected devices for enhanced Wi- Fi speed and coverage inside and around very large homes
• Dual Core Processor gives you increased performance to support more devices and provide faster throughput
• Band steering technology distributes devices over both 2.4GHz and 5GHz bands for optimal Wi-Fi performance
• High-Powered Amplifier gives you increases Wi-Fi coverage for better coverage inside and outside your home
• Brand New GUI – New intuitive user interface for simple management of a wireless network; optimized for mobile devices with touch enabled controls and designed to give users quick access to the status and management of their router and connected devices.
• Traffic Prioritization – Advanced QoS engine distributes traffic optimally across both wireless bands to guarantee the best performance
• Gigabit Ethernet Ports – Four 10/100/1000Mbps Ethernet ports provide high-speed wired connectivity
• 2 USB Ports with mydlink SharePort (1 x USB 3.0 and 1 x USB 2.0) – Share and stream content from up to two connected USB drives
• Wi-Fi Protected Setup – Push button for easy connection to a wireless network
• Backward Compatible – Works with existing Wi-Fi devices (802.11n/g/b)
• Secure Wireless Encryption – Uses WPA or WPA2 security

D-Link’s Wireless AC1900 Dual Band Gigabit Router (DIR-880L) is available now for $189.99 throughout D-Link’s vast network of retail outlets in Canada. Detailed specifications and information are available online at www.dlink.ca/dir-880l.

D-Link today announced that their new Outdoor HD Wireless Network Camera called the DCS-2330L is now shipping. Equipped with IP65 weatherproof housing and designed for extreme weather, the Outdoor HD Wireless Network Camera is the ideal outdoor surveillance solution for any Canadian season. The new camera features 720p HD video quality and night vision for viewing up to 4.6 metres (15 feet) in complete darkness as well as advanced motion sensing technology, so users can receive instant email alerts based on changes to the camera’s environment. The camera integrates with a free mobile app to view streaming video from a PC, notebook, iPhone, iPad, Windows Phone or Android device. The mydlink Lite app enables seamless access to camera feeds from anywhere and a host of newly added features for expanded remote control including pinch-to-zoom viewing, push notifications of motion alerts, two-way audio, and video play back from cameras featuring a microSD/SDHC slot.

The DCS-2330L is available now for $199.99 at Best Buy and Future Shop. Detailed specifications and information are available online at www.dlink.ca/dcs-2330l.