Analysis Summary

Based on proof of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security vulnerabilities affecting D-Link routers to its Known Exploited Vulnerabilities (KEV) list on Thursday.

D-Link DIR-600 routers are susceptible to a cross-site request forgery (CSRF) vulnerability tracked as CVE-2014-100005, which enables an attacker to modify router configurations by taking over an active administrator session. The second flaw, CVE-2021-40655, is an information disclosure issue that affects D-Link DIR-605 routers. By faking an HTTP POST request to the /getcfg.php page, an attacker can gain a username and password.

Although the specifics of how these flaws are used in the wild are presently unknown, federal entities have been notified to implement vendor-provided mitigations by June 6, 2024. Note that CVE-2014-100005 affects D-Link legacy products that are past their end of life (EoL), requiring the organizations that use them to replace or retire the affected devices.

This development coincides with the discovery by researchers of unpatched security flaws in DIR-X4860 routers that may allow remote, unauthenticated attackers to get access to the HNAP port, where they may subsequently execute commands as root and obtain elevated permissions. The device can be fully compromised by combining command execution with an authentication bypass.

Additionally, a proof-of-concept (PoC) exploit has been made public by researchers. It leverages a specially constructed HNAP login request to the router's administrative interface to circumvent authentication safeguards and execute code by exploiting a command injection vulnerability. Since then, D-Link has released a bulletin acknowledging the problem and claiming that a fix is "Pending Release / Under Development". It defined the problem as an unauthenticated command execution vulnerability on the LAN side.

Impact

• Information Disclosure
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2014-100005
• CVE-2021-40655

Affected Vendors

Affected Products

• D-Link DIR-600 2.16WW
• D-Link DIR-605 B2 2.01MT

Remediation

• Refer to D-Link Security Advisory for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the aforementioned vulnerabilities and apply the available security patches or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.