Security Advisories
Security Advisories > SAP10004
DSL-2740B - Multiple CSRF and Administrative Bypass Vulnerabilities - (Fix Pending)
Publication ID: SAP10004
Resolved Status:
Published on: 14 November 2013 4:16 GMT
Last updated on: 8 March 2014 1:47 GMT

 

Overview

 

The D-Link DSL-2740B Wired/Wireless ADSL Gateway has vulnerabilities present in it's WEB-GUI configuration tool that allows malicious attacks by exploiting an active (logged-in) user browser session. These vulnerabilities allows an attacker, who has an authorized (logged in) browser session to access to the Web-GUI configration, which allows the ability to change configuration or cause the product to be unreliable.

 

D-Link Security Incident Reponse Policy

 

All public communication on this issue will be offered at http://securityadvisories.dlink.com/security/

Our security response team can be contacted for incident information or to report incidents at security@dlink.com

Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.

 

Reference

 

CVE-2013-2271 - DSL-2740B (ADSL Router) Athentication Bypass - Ivano Binetti (http://ivanobinetti.com) - http://bit.ly/1j79dx2
CVE-2013-5730 - DSL-2740B (ADSL Router) CSRF Vulnerabilities - Ivano Binetti (http://ivanobinetti.com) - http://bit.ly/19neoDF

 

General Disclosure

 

Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.  We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link product.

 

Immediate Recommendations for all D-Link router customers

     

  • Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet.  Remote Management is default disabled on all D-Link Routers and is included for customer care troubleshooting if useful and the customer enables it.
  • If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
  • Make sure that your wireless network is secure.
  • Do not provide your admin password to anyone. If required we suggest updating the password frequently.

 

Description

 

The D-Link DSL-2740B Wired/Wireless ADSL Gateway has vulnerabilities present in it's WEB-GUI configuration tool that allows malicious attacks by exploiting an active (logged-in) user browser session. These vulnerabilities allows an attacker, who has an authorized (logged in) browser session to access to the Web-GUI configration, which allows the ability to change configuration or cause the product to be unreliable.

 

CVE-2013-5730

 

We recommend Remote Management be in the default selection of disabled. This will narrow the window of vulnerability to the LAN-side of the device. The D-Link DSL-2640B's web interface (listening on tcp/ip port 80) has CSRF vulnerabilities present which allow malicicous attackers to change router parameters and to perform many modifications to the router's parameters,  from the LAN-side access of the device,

 

CVE-2013-2271

 

We also recommend Remote Management be in the default selection of disabled. This will narrow the window of vulnerability to the LAN-side of the device. The D-Link DSL-2640B's allows a malicous attacker to bypass authentication and excute commands with admin permission during an active (logged-in) admin session. When the administrator is logged in the web management interface, an attacker is be able to completely bypass authentication phase and connect to the web management interface with administrator's credentials.

 

Requirements for the vulneratiblity to be exploited are:

 

  • The victim must have an active logged in management session with the router.
  • The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.

 

Due to the requirement of having to be authenticated (logged in) to the router, the threat of this attack has a very narrow scope so the impact to users is also considered narrow.  We also are aware that a exploit to take advantage of the vulnerability is not impossible.  In a hardend system, an external user would not have access to excutable commands with-in the router, they should only be accessible by the router's itself, which is configured thru the Web_GUI only.

 

In order to comply and close this vulnerability D-Link will release new firmware that corrects this vulnerability.

 

Effected Products

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DSL-2740B

Ax/Bx/Cx

 v.2.34 and older

Pending (03/07/2014)

 

Security patch for your D-Link router

 

These firmware updates address the security vulnerabilities in affected D-Link routers. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.

 

To update the firmware please log-in to the Web-GUI interface of your DSL-2740B, from the menu select Maintanence -> System -> Upgrade Firmware. If you require help please contact your regional D-Link customer care website for options.

 

 

DSL-2740B Revision All1
The new firmware is pending that fixes the security vulnerabilities

Current status: March 7, 2014