D-Link has fixed critical vulnerabilities in three popular wireless router models that allow remote attackers to execute arbitrary code or access the devices using hardcoded credentials.
The impacted models are popular in the consumer networking market, especially among users looking for high-end WiFi 6 routers (DIR-X) and mesh networking systems (COVR).
The bulletin lists five vulnerabilities, three of which are rated critical, in the following firmware: COVR-X1870 (non-US) firmware versions v1.02 and below, DIR-X4860 (worldwide) on v1.04B04_Hot-Fix and older, and DIR-X5460 (worldwide) running firmware v1.11B01_Hot-Fix or older.
The five flaws and their associated advisories are listed below:
- CVE-2024-45694 (9.8 critical): Stack-based buffer overflow, allowing unauthenticated remote attackers to execute arbitrary code on the device.
- CVE-2024-45695 (9.8 critical): Another stack-based buffer overflow allowing unauthenticated remote attackers to execute arbitrary code.
- CVE-2024-45696 (8.8 high): Attackers can forcibly enable the telnet service using hard-coded credentials within the local network.
- CVE-2024-45697 (9.8 critical): Telnet service is enabled when the WAN port is plugged in, allowing remote access with hard-coded credentials.
- CVE-2024-45698 (8.8 high): Improper input validation in the telnet service allows remote attackers to log in and execute OS commands with hard-coded credentials.
To fix the flaws, D-Link recommends customers upgrade to v1.03B01 for COVR-X1870, v1.04B05 for DIR-X4860, and DIR-X5460A1_V1.11B04 for DIR-X5460.
D-Link says it learned of the flaws from the country's CERT (TWCERT) on June 24 but was not given the standard 90-day period to fix the flaws before they were disclosed.
"When D-Link became aware of the reported security issues, we promptly started investigating and developing security patches," D-Link stated in its security bulletin.
"The third-party publicly disclosed the problem before the patches were available on our standard 90-day security patch release schedule. We do not recommend that security researchers act in this manner, as they expose end-users to further risks without patches being available from the manufacturer."
BleepingComputer has not been able to find any previous public disclosure of these vulnerabilities and has contacted D-Link to learn more.
D-Link has not reported any in-the-wild exploitation of the flaws, but as D-Link is commonly targeted by malware botnets, installing the security updates remains crucial.
Comments
Lefty4444 - 1 month ago
I am no expert, but this looks like D-Link just being negilgent with security on their security appliances.
h_b_s - 1 month ago
D-Link has a reputation for being an easy mark in the hacker world. Their code quality is in the basket, and they've no real incentives to do any better as it would cost them money. More money than they're likely making on razor thin margin products.
Consumers largely don't know any better, and trying to get them to pay attention to their personal security is nearly impossible even after an incident. They're buying on price and convenience. SMBs aren't much better as they usually don't have the funds to pay for skilled IT staff or support contracts. Big corporations that do have the money often won't bother either, because they're run by people that are just as bad as the average consumer and only concerned about their contracted bonus and the board of directors (who are also security ignorant). The problem is proper security takes time, skill, and effort most people don't want to spend even in light of rampant ransomware, nation state attacks, and insider threats.
Gisabun - 1 month ago
Seems all I have seen are D-Link flaws. Hardcoded passwords still?