Recently, researchers have discovered that some of the popular D-Link-backed VPN routers on the market are vulnerable to three new high-risk security vulnerabilities, which make millions of home and corporate networks vulnerable to cyber attacks, even if they are powerful. Password protection.
This attack was discovered by researchers from Digital Defense. The three security vulnerabilities were reported to D-Link on August 11. If the vulnerabilities are exploited, this may allow remote attackers to respond to the vulnerability through custom requests. Of network devices execute arbitrary commands and even initiate denial of service attacks.
VPN routers such as D-Link DSR-150, DSR-250, DSR-500 and DSR-1000ac running firmware versions 3.14 and 3.17 in the DSR series all have remotely exploitable root command injection vulnerabilities.
The Taiwanese network equipment manufacturer confirmed the vulnerabilities in a report on December 1, adding that the needle is developing patches for two of the three vulnerabilities, and these patches are now available to the public at the time of writing release.
Digital Defense stated in a report:
“Through WAN and LAN interfaces, this vulnerability may be exploited on the Internet.”
Therefore, a remote unauthenticated attacker who has access to the router’s web interface can execute arbitrary commands as the root user, effectively gaining complete control over the router.
The specific attack process is as follows: The vulnerable component “Lua CGI” can be accessed without authentication and lacks server-side filtering, so it is possible for an attacker (through authentication or other means) to inject malicious commands, these commands Will be executed with root privileges.
Another vulnerability reported by Digital Defense involves modification of router configuration files to inject malicious CRON expressions and execute arbitrary commands as the root user.
However, the person in charge of D-Link said that they will not modify this loophole in “this generation of products”, and said that this is a loophole they had long anticipated.
The person in charge of D-Link said:
“The device uses a plain text configuration. The design can directly edit the configuration and upload it to the same DSR device accordingly.”
If D-Link mitigates vulnerabilities #1 and #2 and other recently reported vulnerabilities, a malicious attacker may devise a way to gain access to the device to upload configuration files.
Digital Defense warned that as the COVID-19 pandemic has led to an unprecedented increase in the number of people working from home, more employees may use affected devices to connect to the company network.
As companies scramble to adapt to remote work and provide secure remote access to corporate systems, this change has created a new attack surface, and vulnerabilities in VPNs have become common targets for attackers to enter corporate internal networks.
It is recommended that companies using the affected products update their products in time.