• Home Support Forums Security Advisories Shop     English | French
Security Announcement
Announcement > SAP10028
DIR-605L - Rev. A1 - Information Dislosure - Plain Text Password Display - Unauthorized Command By-pass - (FW 1.14 and Older)
Publication ID: SAP10028
Resolved Status: Open
Published on: 22 May 2014 6:44 GMT
Last updated on: 11 August 2014 9:42 GMT

 

Overview

 

The DIR-065L Rev. A1 contains a flaw that displays administrative password in plain text in Web-GUI, which could be intercepted over the network, and allows malicious user to change settings. An additional flaw, allows a malicious user to submit HTTP device commands, that do not require the Web-GUI or not requiriing to a user to be logged into the device. Please read the Recommendations section below to fix this vulnerability.

 

References

 

 Secunia - Author Contact Infomrmation Available - http://seclists.org/fulldisclosure/2014/May/90

 

 

Description

 

In order to maintain author's intent of the disclosure please read at:  http://seclists.org/fulldisclosure/2014/May/90

 

Directly from the disclosure/author the following two issues have been confirmed by D-Link.

 

 

1. The login password is printed out in clear text in the "Current Network Setting" page (just after login) "Device 
Info" section.

 

 

2. The router can be controlled using a crafted URL (GET request), even without login

e.g. use any browser to visit "http://192.168.0.1/Status/wan_button_action.asp?connect=true";

 

D-Link R&D designed the product for ease of use and reduce support call incident rates for customer that forget their password. As a result issue 1 does exist and under review for improvement.  issue 2 requires correction. 

 

This platform is used in several models under the D-Link brandname, we will update this advisory as more infomration and confirmation becomes available (May 22, 2014 12pm PST)

 

Recommendations

 

Please register the unit with mydlink.com so you recieve latest firmware update notifications via the mydlink portal or the mydlink mobile applications. Your router's mydlink feature can be registered via the Web-GUI under Setup -> mydlink. For further help, you can find quick setup guides and help at http://support.mydlink.com .

 

All devices on your network should have log-in credentials and if your network has WiFi, please make sure WiFi encryptiion-keys are enabled. Also for devices that cannot notify the owner of  new software updates,  check for updates from the devices manufacture.

 

Immediately update to the fixed firmware referenced in the table below as they are made available. Please continue to monior this page for further updates and disclousres.

 

The router's mydlink feature allows a secured way to maintain the product remotely, which is safe to use by PC browser or mydlink mobile applications. The mydlink feature works independently of the router's remote network management feature.  D-Link recommend your D-Link router remote network management feature is disabled (factory default is disabled) to mitigate a malicious remote user using this vulnerability to directly access/exploit your router.  If remote network mangement is disabled, a malicious user would require to be on the local network side of the router or have compromised another device on the network that could be used to attack the router.

 

D-Link recommends all PCs (Window or Mac) are up-to-date and scanned for virus, bots, or other damaging software that could compromise the network they are connected.

 

WiFi encryption reduces the risk to this vulnerabilty if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption, or PC using the Web-GUI utility, in order to monitor the traffice and intercept the cookie. 

 

The default configuration of D-Link's routers are to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems (D-Link US) reminds customers to configure their devices specifically to the for security concerns with in their network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enable WiFi encrytion, monitor the routers log files, and access-lists for your devices so security risks for your entire network are minimized.

 

 

Affected Product

   

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DIR-605L

Ax

v. 1.14 and older

FW: Under Investigation

(Updated: 08/11/2014)

 

Security patch for your D-Link Devices

 

These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.