Overview
The DIR-615 Rev. D3 / DIR-300 Rev. A using f/w 1.05 and older ontains multiple vulnerabilities that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. CSRF attacks allow an malicous user to forge HTML forms and execute actions in an authorized (logged in) browser session. This vulnerability allows anyone with access to the Web interface to view and edit administrative router settings. Further, even if remote administration is disabled on the router, a remote attack can still exploit via a cross site request forgery attack.
These models are qualified as End-Of-Service Life products. Support in the US has ceased and there are no further firmware updates. Please see below for End-of-Service Life products.
Region
These products were sold outside North America.
References
Michael Messner - http://www.s3cur1ty.de/ - Disclosure - Link
Craig Heffner - Disclosure - Link - Detailed PDF
Karol Celin - Disclosure - Link
Immediate Recommendations for all D-Link device customers
- If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
- Make sure that your wireless network is secure.
- Do not provide your admin password to anyone. If required we suggest updating the password frequently.
Description
We encourge you to read the author orginal text to avoid misinterpretation and duplicating their work:
The authors describe the vulnerabilities different and their conclusions are independent of one another. Our conclusion is that the cause of these issues are similar and have group our disclosure accordingly.
Authentication Bypass
A misconfiguration in the PHP web-configuration pages allows pages to be accessed with out user credentials.
CSRF Vulnerabilities
The web-configuration pages are suseptible to CSRF vulnerabilites that would allow access and changing device's user credentials.
OS Command Injection Vulnerability
Some fields in the web-configuration pages lack validation to protect form invalid or malicious code being enter. As a result, configuration information can be changed and access to the devices
operating system for further exploitation can be executed
Insecure Storage of Device's User Access Credentials
Storage of device's user credentials are stored in plain-text with in the devices local storage system.
XSS Vulnerabilites
Some scripts that perform services and control configuration information are susceptible to input (malicious scripts or otherwise) due to lack of proper validation.
HTTP Header Injection Vulnerability
The device was found to respond to script injected into the common HTTP parameters of the header due to lack of validation on the incomming requests by the user.
Affected Products
Security patch for your D-Link Devices
This firmware is an update security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install this relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.
Recommendation for End of Service Life Products
While D-Link is aware of the alleged vulnerabilities involving these products have reached End of Life(EoL)/End of Support(EoS) and there is no longer support or development for them. Once a product is past EoL/EoS date, which states on it's product support page or has been transferred to https://legacy.us.dlink.com/,
D-Link will be unable to resolve Device or Firmware issues since all development and customer support has ceased.
From time to time, D-Link will decide that certain of its products have reached EoL. D-Link may choose to EoL a product for many reasons, including shift in market demands, technology innovation, costs or efficiencies based on new technologies, or the product simply matures over time and is replaced by functionally superior technology.
Once a product is identified as EoL, D-Link will provide the dates for which the support and service for that product will no longer be available.
For US consumers, D-Link recommends this product be retired, any further use maybe a risk to devices connected to it and end-users connected to it. If US consumers, continue to use the product against D-Link's recommendation, please make sure the device has the most recent firmware from https://legacy.us.dlink.com/, installed, make sure you frequently update the device's unique password to access it's web-configuration, and always have WiFI encryption enabled with a unique password.
While this is an established part of a product’s overall life cycle, D-Link understands that EOL of a product may affect an end-user’s decision to continue to use the product. The chart in the link below outlines D-Link's EOL Policy to help customers better manage their end-of-life transition and to help D-Link better understand its role in helping our customers migrate to alternative D-Link products and technology.
D-Link’s End-of-Life Policy can be found here: https://support.dlink.com/EndOfLifePolicy.aspx