Security

D-Link releases a security firmware update that only fixes 3 out 6 issues in DIR-865L home routers

D-Link has released a firmware update to address three security flaws impacting the DIR-865L home router model, but left some issue unpatched

D-Link has recently released a firmware update to address three out of six security flaws impacting the DIR-865L wireless home router.

Below the list of vulnerabilities affecting the D-Link home routers:

  1. CVE-2020-13782: Improper Neutralization of Special Elements Used in a Command (Command Injection) – critical-severity score 9.8, not fixed
  2. CVE-2020-13786: Cross-Site Request Forgery (CSRF) – high-severity score 8.8, fixed
  3. CVE-2020-13785: Inadequate Encryption Strength – high-severity score 7.5, fixed
  4. CVE-2020-13784: Predictable seed in pseudo-random number generator – high-severity score 7.5 not fixed
  5. CVE-2020-13783: Cleartext storage of sensitive information – high-severity score 7.5, fixed
  6. CVE-2020-13787: Cleartext transmission of sensitive information – high-severity score 7.5, not fixed

The flaws were reported to D-Link by researchers at Palo Alto Networks in February, experts pointed out that the issues could also affect newer models because they share portions of firmware code.

Only the command injection vulnerability is rated critical, the remaining ones are high-severity, they can be exploited by attackers to execute arbitrary commands, steal sensitive information, upload malicious payloads, or delete data.

According to Palo Alto Networks’ Unit 42 researcher Gregory Basior an attacker could chain some of the above issues to sniff network traffic and steal session cookies.

“Different combinations of these vulnerabilities can lead to significant risks. For example, malicious users can sniff network traffic to steal session cookies.” reads the analysis published by Palo Alto Networks.

“With this information, they can access the administrative portal for file sharing, giving them the ability to upload arbitrary malicious files, download sensitive files, or delete essential files. They can also use the cookie to run arbitrary commands to conduct a denial of service attack.”

D-Link’s DIR-865L is no longer supported for U.S. consumers, while the vendor sill provides supports for European customers.

The vendor released a beta firmware release that fixes only three out of the six flaws, it recommends customers to replace their device with a new model.

“For US consumers, D-Link recommends this product be retired, and any further use may be a risk to devices connected to it and end-users connected to it” states D-Link.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – D-Link DIR-865L, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

A new Linux variant of FASTCash malware targets financial systems

North Korea-linked actors deploy a new Linux variant of FASTCash malware to target financial systems,…

4 hours ago

WordPress Jetpack plugin critical flaw impacts 27 million sites

WordPress Jetpack plugin issued an update to fix a critical flaw allowing logged-in users to…

13 hours ago

Pokemon dev Game Freak discloses data breach

Pokemon dev Game Freak confirmed that an August cyberattack led to source code leaks and…

17 hours ago

U.S. CISA adds Fortinet products and Ivanti CSA bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Fortinet products and Ivanti CSA bugs to…

1 day ago

Nation-state actor exploited three Ivanti CSA zero-days

An alleged nation-state actor exploited three zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) in…

1 day ago

Dutch police dismantled dual dark web market ‘Bohemia/Cannabia’

Dutch police dismantled Bohemia/Cannabia, two major dark web markets for illegal goods, drugs, and cybercrime…

1 day ago

This website uses cookies.