Security Market Segment LS
Thursday, 14 September 2017 12:03

More flaws found in D-Link routers, exploit code released Featured


Close on the heels of news about flaws in the D-Link 850L wireless AC1200 dual-band gigabit routers, hardware security outfit Embedi has revealed details of three vulnerabilities in a number of other D-Link routers.

The company also released exploit code for all three vulnerabilities, putting this down to the way it claimed the company had responded when it was informed about the flaws.

Embedi said its researchers had found flaws in the DIR890L, DIR885L, DIR895L and other DIR8xx D-Link routers.

Two of the vulnerabilities are related to the main CGI file that generates Web interface pages to control the router. The other flaw is in system recovery.

In one case, the Embedi researchers said it was possible to obtain the login and password of a router by making a single HTTP request.

A second case provided a root shell through an HTTP request due to a stack overflow caused by an execution error.

A third vulnerability gave an attacker root status when updating the firmware in recovery mode.

Security researcher Victor Gevers, who looks for vulnerable devices and reports them to the owners and ISPs, claimed to have found 428 of the vulnerable D-Link devices in Australia.

Embedi said it had first made contact with D-Link on 26 April and informed the company about two of the vulnerabilities. At that stage, the third bug was yet to be found by Embedi.

Two days later, Embedi says it was told by D-Link researchers that the vulnerabilities had already been patched in a beta version of the firmware.

However, Embedi says that when its researchers looked at the firmware on 3 May, they found that one of the vulnerabilities had not been fixed.

Between that time and 9 May, the Embedi team found the third vulnerability. After informing D-Link, Embedi asked whether progress had been made on fixing the two bugs about which D-Link had been notified.

"They answered that the very process of detecting, fixing and assessing a vulnerability takes some time," Embedi said.

On 1 June, Embedi says it notified CERT of the flaws. CERT's response was to advise Embedi to work with the vendor (D-Link) before public disclosure.

The next day, Embedi says it contacted D-Link and said that it would make the vulnerabilities public if there was no response from the company.

On 6 June, D-Link contacted Embedi and detailed its vulnerability response process. Another version of the beta firmware was also sent, in which the vulnerability in the CGI script was fixed. But the other two vulnerabilities were still not fixed.

Embedi says it then wrote to D-Link again about the unpatched vulnerabilities. It was told that D-Link's research and development unit was working on a solution.

Part of D-Link's response was: "Typically the cycle of fixes is a couple of weeks for beta you can validate. Once validated we will offer it to the public as a beta, then it will move on to long term QA as an RC to be released. A full release cycle will usually take up to 90 days."

Embedi waited until mid-August and then checked D-Link's website. But all it found was the same firmware which had unpatched vulnerabilities.

"So, the bottom line of our research is:

"D-Link has closed one of the detected vulnerabilities in the DIR890L router only, leaving other devices unsafe;

"Two other vulnerabilities were (and are still) ignored by the developer.

"Well done, D-Link!" Embedi wrote.

iTWire contacted D-Link on Thursday for its response which will be included here when it is received.

In January, D-Link was taken to court by the US Federal Trade Commission after it failed to act when notified about security flaws in its devices.

Update, 25 September: A D-Link spokesperson responded to iTWire's query, saying: "On 12 September, a news article reported vulnerabilities with D-Link routers DIR-890L, DIR-895L, and DIR-885L. D-Link immediately investigated the issues and endeavours to resolve them. A firmware update will be released on 4 October to address the reported issues."

Read 11256 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News