D-Link router riddled with 0-day flaws

'Basically, everything was pwned, from the Lan to the Wan'

Updated A security researcher has shamed D‑Link by publicly disclosing 10 serious, as-yet unpatched vulnerabilities in a line of consumer-grade routers without notifying the vendor first.

Security researcher Pierre Kim went public on a series of flaws in D‑Link DIR 850L wireless AC1200 dual-band gigabit cloud routers without disclosing the issue to D‑Link beforehand because of a previous negative experience with the firm. He disclosed nine vulnerabilities to D‑Link back in February, but only one of them resulted in a patch from the manufacturer.

The D‑Link 850L zero-day flaws disclosed this week include a lack of adequate protection of firmware images, a shortcoming that means hackers could push malicious copies containing a backdoor onto targeted devices, flaws in the custom mydlink cloud protocol, and more. In an advisory, the security researcher also found remote code execution flaws, default private keys and a DDoS risk. Cross-site scripting (XSS), credentials stored in cleartext, and a Lan backdoor also feature.

"The D‑Link 850L is a router overall badly designed with a lot of vulnerabilities," Kim offers in a somewhat dismissive summary seemingly borne out of exasperation with the networking kit maker.

"Basically, everything was pwned, from the Lan to the Wan."

El Reg approached D‑Link for comment both via Twitter and through its web form, but we're yet to hear back from the manufacturer. It's therefore unclear whether or not the vendor acknowledges the bugs much less whether it plans to patch them or not.

Kim concludes by referencing his previous negative experiences with D‑Link in explaining why he had gone public this time before advising punters of the vulnerable equipment and to use other kit instead:

Due to difficulties in previous exchange with D‑Link, full disclosure is applied. Their previous lack of consideration about security made me publish this research without coordinated disclosure. I advise to IMMEDIATELY DISCONNECT vulnerable routers from the internet.

Kim has form for err, routing out router vulnerabilities (previous coverage here), as well as flaws in other forms of IoT devices such as webcams (here). ®

Updated to add, 09.10, 22/09/17

A D-Link spokesperson finally got back to us, saying: "On September 8, 2017, a news article reported zero-day flaws with D-Link DIR-850L routers. D-Link immediately took actions to investigate the issues and endeavors to find the solutions to resolve them. A firmware update is now available at support.dlink.com."


Biting the hand that feeds IT © 1998–2017