D-Link issues beta hotfix for multiple flaws in DIR-3040 routers

Network equipment vendor D-Link has released a firmware hotfix to fix multiple vulnerabilities in the DIR-3040 AC3000-based wireless internet router.

Network equipment vendor D-Link has released a firmware hotfix to address multiple vulnerabilities affecting the DIR-3040 AC3000-based wireless internet router.

An attacker could exploit the flaws to execute arbitrary code on unpatched routers, crash the devices, or gain access to sensitive information.

The list of vulnerabilities addressed by D-Link includes:

• CVE-2021-21816 – Syslog information disclosure vulnerability
• CVE-2021-21817 – Zebra IP Routing Manager information disclosure vulnerability
• CVE-2021-21818 – Zebra IP Routing Manager hard-coded password vulnerability
• CVE-2021-21819 – Libcli command injection vulnerability
• CVE-2021-21820 – Libcli Test Environment hard-coded password vulnerability

The flaws were discovered by Cisco Talos researchers, the first one tracked as CVE-2021-21818 is hard-coded password vulnerability in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03, while the second one is a hard-coded password vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03.

Affected models are:

Model	Hardware Revision	Affected FW	Fixed FW	Recommendation	Last Updated
DIR-3040	All Ax Hardware Revisions	v1.13B03 & Below	v1.13B03 Hotfix	1) Please Download Patch and Update Device2) Full QA Firmware under test for automatic F/W update notification on D-Link Wifi mobile App	06/09/2021

Both flaws could be exploited by sending specially crafted requests to vulnerable devices.

“A hard-coded password vulnerability exists in the Libcli Test Environment functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to code execution. An attacker can send a sequence of requests to trigger this vulnerability.” reads the advisory for the CVE-2021-21820.

“A hard-coded password vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to a denial of service. An attacker can send a sequence of requests to trigger this vulnerability.” reads the advisory for the CVE-2021-21818.

CVE-2021-21820 received a CVSS 3.0 score of 10, while the CVE-2021-21818 received a CVSS 3.0 score of 7,5.

Cisco experts also found a code execution vulnerability in the Libcli Test Environment functionality of D-LINK DIR-3040 1.13B03.

“A code execution vulnerability exists in the Libcli Test Environment functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.” reads the advisory for the CVE-2021-21819

Experts also explained that it is possible to start a hidden telnet service without authentication by visiting https:///start_telnet” and log into the Libcli test environment using a default password stored in plain text on the router.

D-Link has addressed the flaws with the release of firmware version 1.13B03 and has issued a firmware hotfix to fix the issues.

D-Link highlights that the firmware hotfix released to address the above issue is a device beta software which is still undergoing final testing before its official release.

“Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates. Please note that this is a device beta software, beta firmware, or hot-fix release which is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an “as is” and “as available” basis and the user assumes all risk and liability for use thereof. D-Link does not provide any warranties, whether express or implied, as to the suitability or usability of the beta firmware.” states the vendor. “D-Link will not be liable for any loss, whether such loss is direct, indirect, special or consequential, suffered by any party as a result of their use of the beta firmware.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, routers)

[adrotate banner=”5″]

[adrotate banner=”13″]