Pierluigi Paganini September 16, 2024

D-Link fixed multiple critical flaws in its WiFi 6 routers that allow remote attackers to execute arbitrary code or gain hardcoded credentials.

D-Link has addressed three critical vulnerabilities, tracked as CVE-2024-45694, CVE-2024-45695, CVE-2024-45697, impacting three wireless router models. The flaws can allow attackers to remotely execute arbitrary code or access the devices using hardcoded credentials.

The manufacturer also addressed two high-severity vulnerabilities, tracked as CVE-2024-45696 and CVE-2024-45698.

On June 8, 2021, the TWCERT reported the vulnerabilities in D-Link DIR-X5460 to the company.

“When D-Link became aware of the reported security issues, we promptly started investigating and developing security patches. The third-party publicly disclosed the problem before the patches were available on our standard 90-day security patch release schedule.” reads the advisory. “We do not recommend that security researchers act in this manner, as they expose end-users to further risks without patches being available from the manufacturer.”

Below are the descriptions of the issues addressed by D-Link:

CVE-2024-45694 (9.8 critical): The issue is a stack-based buffer overflow in the web service of certain models of D-Link wireless routers. Unauthenticated remote attackers could exploit this vulnerability to execute arbitrary code on the device. The issue impacts:

• DIR-X5460 A1 frimware version 1.01, 1.02, 1.04, 1.10
• DIR-X4860 A1 firmware version 1.00, 1.04

CVE-2024-45695 (9.8 critical): The issue is a stack-based buffer overflow in the web service of certain models of D-Link wireless routers. Unauthenticated remote attackers could exploit this vulnerability to execute arbitrary code on the device. The issue impacts:

CVE-2024-45697 (9.8 critical): Certain D-Link router models have a hidden feature that enables the telnet service when the WAN port is connected. This allows unauthorized remote attackers to log in and execute OS commands using hard-coded credentials. The issue impacts:

• DIR-X4860 A1 firmware version 1.00, 1.04

CVE-2024-45696 (8.8 high): Certain D-Link router models have hidden functionality that allows attackers to enable the telnet service by sending specific packets to the web service. Once enabled, attackers can log in using hard-coded credentials, but the telnet access is limited to the local network. The issue impacts:

• DIR-X4860 A1 firmware version 1.00, 1.04.
• COVR-X1870 firmware version v1.02 and earlier.

CVE-2024-45698 (8.8 high): Certain D-Link router models have a vulnerability in the telnet service that allows unauthenticated remote attackers to log in using hard-coded credentials and execute arbitrary OS commands due to improper input validation. The issue impacts:

• DIR-X4860 A1 firmware version 1.00, 1.04

The company addressed the vulnerabilities in the security bulletin in the versions v1.03B01 for COVR-X1870, v1.04B05 for DIR-X4860, and DIR-X5460A1_V1.11B04 for DIR-X5460.

The Taiwanese manufacturer did not reveal if one of the issues in the security bulletin has been actively exploited in attacks in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)