Trustwave’s Spiderlabs has uncovered credential leaking vulnerabilities in D-Link wireless ADSL2+ modem routers that are “widely available in Australia”.
Researcher Simon Kenin found that the discontinued D-Link DSL-2875AL wireless ADSL2+ modem leaks passwords through its web-based management interface.
Anyone with local network access can simply use a web browser to view the romfile.cfg file stored on the router, without any authentication required. The file contains the password to the device in clear text.
Similarly, the DSL-2875AL leaks user credentials via the hyper text markup language source for the router login page.
By searching for the username_v and password_v variables in the index.asp page, an attacker on the local network can get the login credentials to subscribers’ internet provider accounts.
Trustwave – which is owned by Singtel – says the vulnerabilites are serious as they allow attackers to control the routers over which all user data travels to their internet providers.
The security vendor reported the vulnerabilties to D-Link, but said the router vendor’s response was “confusing and unfortunately very typical for organisations not set up to accept security problem [reports] from third party researchers.”
D-Link was given a 90-day period of time before publication of the vulnerabilites by Trustwave, as part of the company’s responsible disclosure policy, and initially said it would escalate the issue with its reseach and development group.
Trustwave extended the deadline after D-Link said it could not escalate the issue, and eventually stopped responding to Trustwave altogether.
Ahead of publication of the vulnerabilities, D-Link told Trustwave that it had issued patches for the flaws.
“While it’s always good to hear that vulnerabilities have been patched (that is our goal after all) it sometimes takes the leverage of full disclosure to force organisations to scramble to do in one week what nine months of good faith outreach could not,” Trustwave’s Kenin said.
The firmware along with other updates is accessed from D-Link’s support site via the plain-text HTTP web page protocol, and not the secure, encrypted HTTPS.
D-Link has been contacted for comment on the matter.
Published at Tue, 10 Sep 2019 04:45:00 +0000