Analysis Summary

Attackers with access to the HNAP port may be able to take over the D-Link EXO AX4800 (DIR-X4860) router entirely through remote, unauthenticated command execution.

With speeds of up to 4800 Mbps and cutting-edge features like OFDMA, MU-MIMO, and BSS Coloring that improve efficiency and lessen interference, the D-Link DIR-X4860 router is a high-performance Wi-Fi 6 router. According to D-Link's website, the device is sold globally and is especially common in Canada. The seller continues to provide active support for the product.

Researchers have reported that vulnerabilities have been found in DIR-X4860 devices that are running DIRX4860A1_FWV1.04B03, the most recent firmware version that permits unauthenticated remote command execution (RCE). Due to security flaws in DIR-X4860, remote, unauthorized attackers with access to the HNAP port can elevate their privileges and execute commands as root. The device can be fully compromised by combining command execution with an authentication bypass.

The D-Link DIR-X4860 router's Home Network Administration Protocol (HNAP) port is often accessible through the router's remote management interface on either HTTP (port 80) or HTTPS (port 443), making it quite simple to use. For each vulnerability that the analysts found, they have released detailed exploitation guidelines, resulting in the public release of a proof-of-concept (PoC) exploit.

The attack starts with a specially constructed HNAP login request to the router's administration interface, with the username "Admin" and the parameter "PrivateLogin" set to "Username." A challenge, a cookie, and a public key are returned by the router, and these are utilized to create a legitimate login password for the "Admin" account.

To effectively avoid authentication, a follow-up login request is sent to the target device together with the created LoginPassword and the HNAP_AUTH header. After gaining authorized access, the attacker uses a specifically constructed request to take advantage of a command injection vulnerability in the 'SetVirtualServerSettings' function. Because the 'SetVirtualServerSettings' method is susceptible and does not properly sanitize the 'LocalIPAddress' parameter, the injected command can run within the router's operating system.

The vulnerabilities remain unpatched as of right now, according to the researchers, who have attempted to alert D-Link three times in the last thirty days about their discoveries. Nevertheless, none of the attempts have been effective. Users of the DIR-X4860 should disable the device's remote access management interface to prevent exploitation until a security firmware update becomes available.

Impact

• Command Execution
• Security Bypass
• Unauthorized Access

Remediation

• Refer to D-Link Security Advisory for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the aforementioned vulnerabilities and apply the available security patches or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.