Analysis Summary

A critical vulnerability, CVE-2024-0769, with a CVSS score of 9.8, has been discovered in D-Link DIR-859 WiFi routers posing significant security risks. This path traversal vulnerability can lead to information disclosure, enabling threat actors to exploit the flaw to collect account information including user passwords.

Cybersecurity researchers analyzed these exploitation attempts and highlighted that attackers specifically target the ‘DEVICE.ACCOUNT.xml’ file to extract all account names, passwords, user groups, and user descriptions on the device. The exploitation involves sending a malicious POST request to the ‘/hedwig.cgi’ endpoint which accesses sensitive configuration files (‘getcfg’) via the ‘fatlady.php’ file. This process potentially exposes user credentials, granting attackers the ability to control the device fully.

Researchers observed a slight variation of the public exploit in the wild which leverages the vulnerability to render a different PHP file and dump all user information from the device. This variation utilizing ‘DEVICE.ACCOUNT.xml’, exposes all account details, making it a significant security concern.

The D-Link DIR-859 routers have reached their End of Life (EOL) and End of Service Life (EOS), meaning the vendor will not address this flaw. Researchers emphasized that information disclosed from these devices will remain valuable to attackers as long as the routers are internet-facing. This unpatched vulnerability poses a long-term risk as the disclosed information can be used in future exploitation attempts potentially leading to unknown authenticated remote code execution (RCE) vulnerabilities.

In response to this critical issue, D-Link customers are strongly advised to replace their EOL devices as soon as possible to mitigate the risk of exploitation. The analysis includes a list of possible variations of other getcfg files that can be targeted using CVE-2024-0769, underscoring the importance of proactive measures to protect against these persistent threats.

Impact

• Sensitive Data Theft
• Information Disclosure
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2024-0769

Affected Vendors

Remediation

• Refer D-Link Website for patch, upgrade, or suggested workaround information.
• Replace DIR-859 WiFi routers with newer models that are actively supported and receive security updates.
• Immediately disconnect any DIR-859 routers from the internet to prevent potential exploitation.
• Ensure that all network devices have the latest firmware updates installed.
• Continuously monitor network traffic for unusual activity or signs of exploitation attempts.
• Change all passwords on network devices to strong, unique passwords and regularly update them.
• Limit access to network devices to trusted users and use network segmentation to isolate critical devices.
• Enable multi-factor authentication (MFA) where possible to add an extra layer of security.
• Conduct regular security audits of all network devices and configurations to identify and address vulnerabilities.
• Keep up to date with the latest security advisories and threat intelligence related to network devices and vulnerabilities.