Analysis Summary

D-Link has issued a warning about four critical remote code execution (RCE) vulnerabilities affecting all hardware and firmware versions of its DIR-846W router.

Discovered by security researchers, these flaws, which were detailed on August 27, 2024, are not going to be patched due to the router's end-of-life (EOL) status. The vulnerabilities are severe, with three rated as critical and one as high, and they do not require authentication for exploitation. The vulnerabilities are summarized as follows:

• CVE-2024-41622: Critical RCE through the tomography_ping_address parameter in the /HNAP1/ interface (CVSS v3 score: 9.8)
• CVE-2024-44340: High-risk RCE via smartqos_express_devices and smartqos_normal_devices parameters in SetSmartQoSSettings (CVSS v3 score: 8.8, requires authentication)
• CVE-2024-44341: Critical RCE through the lan(0)_dhcps_staticlist parameter with a crafted POST request (CVSS v3 score: 9.8)
• CVE-2024-44342: Critical RCE via the wl(0).(0)_ssid parameter (CVSS v3 score: 9.8)

D-Link's announcement acknowledged the flaws but stated that no updates will be provided as the DIR-846W has been out of support since 2020. The company advises users to retire the device and replace it with a supported model. For those unable to replace the router immediately, D-Link suggests updating to the latest firmware, using strong passwords, and enabling WiFi encryption.

The DIR-846W is primarily sold outside the U.S., including in Latin America, and the vulnerabilities pose a global risk. In light of recent trends where D-Link routers are exploited by malware botnets like Mirai and Moobot and similar flaws in other D-Link models have been used for data theft, securing affected routers is crucial before potential proof-of-concept exploits are released.

Impact

• Remote Code Execution
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2024-41622
• CVE-2024-44340
• CVE-2024-44341
• CVE-2024-44342

Affected Vendors

Remediation

• Replace the DIR-846W with a currently supported router model to ensure ongoing security and support.
• If replacement is not immediately possible, ensure the router runs the latest firmware to mitigate any existing vulnerabilities.
• Set strong, unique passwords for the router’s web admin portal to reduce the risk of unauthorized access.
• Activate WPA2 or WPA3 encryption on the router to secure wireless communications and prevent unauthorized access to the network.
• Be vigilant for signs of exploitation or unauthorized activity, especially since proof-of-concept exploits may be released.