D-Link releases a security firmware update that only fixes 3 out 6 issues in DIR-865L home routers

D-Link has released a firmware update to address three security flaws impacting the DIR-865L home router model, but left some issue unpatched

D-Link has recently released a firmware update to address three out of six security flaws impacting the DIR-865L wireless home router.

Below the list of vulnerabilities affecting the D-Link home routers:

1. CVE-2020-13782: Improper Neutralization of Special Elements Used in a Command (Command Injection) – critical-severity score 9.8, not fixed
2. CVE-2020-13786: Cross-Site Request Forgery (CSRF) – high-severity score 8.8, fixed
3. CVE-2020-13785: Inadequate Encryption Strength – high-severity score 7.5, fixed
4. CVE-2020-13784: Predictable seed in pseudo-random number generator – high-severity score 7.5 not fixed
5. CVE-2020-13783: Cleartext storage of sensitive information – high-severity score 7.5, fixed
6. CVE-2020-13787: Cleartext transmission of sensitive information – high-severity score 7.5, not fixed

The flaws were reported to D-Link by researchers at Palo Alto Networks in February, experts pointed out that the issues could also affect newer models because they share portions of firmware code.

Only the command injection vulnerability is rated critical, the remaining ones are high-severity, they can be exploited by attackers to execute arbitrary commands, steal sensitive information, upload malicious payloads, or delete data.

According to Palo Alto Networks’ Unit 42 researcher Gregory Basior an attacker could chain some of the above issues to sniff network traffic and steal session cookies.

“Different combinations of these vulnerabilities can lead to significant risks. For example, malicious users can sniff network traffic to steal session cookies.” reads the analysis published by Palo Alto Networks.

“With this information, they can access the administrative portal for file sharing, giving them the ability to upload arbitrary malicious files, download sensitive files, or delete essential files. They can also use the cookie to run arbitrary commands to conduct a denial of service attack.”

D-Link’s DIR-865L is no longer supported for U.S. consumers, while the vendor sill provides supports for European customers.

The vendor released a beta firmware release that fixes only three out of the six flaws, it recommends customers to replace their device with a new model.

“For US consumers, D-Link recommends this product be retired, and any further use may be a risk to devices connected to it and end-users connected to it” states D-Link.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – D-Link DIR-865L, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]