Security: Firmware update for D-Link DIR-850L router

[German]A few days ago, security researchers reported serious vulnerabilities in the D-Link DIR-850L router. Now D-Link has provided firmware updates to close the vulnerabilities.


Vulnerabilities in the D-Link DIR-850L Router

I've seen the first mentions on the subject came on September 11,2017 within this The Hacker News article. Security researchers had found a total of 10 vulnerabilities in the D-Link DIR 850L WLAN router. According to The Hacker News there are:

  • Lack of proper firmware protection—since the protection of the firmware images is non-existent, an attacker could upload a new, malicious firmware version to the router. Firmware for D-Link 850L RevA has no protection at all, while firmware for D-Link 850L RevB is protected but with a hardcoded password.
  • Cross-site scripting (XSS) Flaws—both LAN and WAN of D-Link 850L RevA is vulnerable to "several trivial" XSS vulnerability, allowing an attacker "to use the XSS to target an authenticated user in order to steal the authentication cookies."
  • Retrieve admin passwords—both LAN and WAN of D-Link 850L RevB are also vulnerable, allowing an attacker to retrieve the admin password and use the MyDLink cloud protocol to add the user's router to the attacker's account to gain full access to the router.
  • Weak cloud protocol—this issue affects both D-Link 850L RevA and RevB. MyDLink protocol works via a TCP tunnel that use no encryption at all to protect communications between the victim's router and the MyDLink account.
  • Backdoor Access—D-Link 850L RevB routers have backdoor access via Alphanetworks, allowing an attacker to get a root shell on the router.
  • Private keys hardcoded in the firmware—the private encryption keys are hardcoded in the firmware of both D-Link 850L RevA and RevB, allowing to extract them to perform man-in-the-middle (MitM) attacks.
  • No authentication check—this allows attackers to alter the DNS settings of a D-Link 850L RevA router via non-authenticated HTTP requests, forward the traffic to their servers, and take control of the router.
  • Weak files permission and credentials stored in cleartext—local files are exposed in both D-Link 850L RevA and RevB. In addition, routers store credentials in clear text.
  • Pre-Authentication RCEs as root—the internal DHCP client running on D-Link 850L RevB routers is vulnerable to several command injection attacks, allowing attackers to gain root access on the affected devices.
  • Denial of Service (DoS) bugs—allow attackers to crash some daemons running in both D-Link 850L RevA and RevB remotely via LAN.

The vulnerabilities make it possible to take over the router. On September 13th, a security researcher published further details on the D-Link gaps, as can be read at Bleeping Computer. These gaps made it possible to take over the router from the Mirai botnet.

D-Link provides firmware update for the DIR-850L

The D-Link article DIR-850L Rev. Ax & Bx : Multiple Security Vulnerability Report, dated September 18, 2017 explains some details about the vulnerabilities in D-Link DIR-850L routers. D-Link has gone to the rework and now offers firmware updates via the support pages of the DIR-850L product or the following direct links:

The hardware version of the DIR-850L can be found on the device label on the bottom of the router. On the D-Link page you will also find some hints on how to improve your privacy with router settings.

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *