D-Link, Comba network gear leave passwords open for potentially whole world to see
Manufacturers seem not to care – some routers still awaiting patches
DSL modems and Wi-Fi routers from D-Link and Comba have been found to be leaving owners' passwords out in the open.
Simon Kenin, a security researcher with Trustwave SpiderLabs, took credit for the discovery of five bugs that leave user credentials accessible to attackers.
For D-Link gear, two bugs were discovered in the firmware for the DSL-2875AL and DSL-2877AL wireless ADSL modem/router. The first bug describes a configuration file in the DSL-2875AL that contains the user password, and does not require any authentication to view: you just have to be able to reach the web-based admin console, either on the local network or across the internet, depending the device's configuration.
"This file is available to anyone with access to the web-based management IP address and does not require any authentication," Trustwave's Karl Sigler said on Tuesday. "The path to the file is https://[router ip address]/romfile.cfg and the password is stored in clear text there."
The second flaw is present in both the 2857AL and 2877AL models. It is less a "flaw" than a glaring security oversight: the source code for the router log-in page (again, accessible to anyone that can reach its built-in web UI server) contains the ISP username and password of the user in plain text. This can be pulled up simply by choosing the "view source" option in a browser window.
Fixes have been released for both models. Those with the 2877AL modem will want to get Firmware 1.00.20AU 20180327, while owners of the 2875AL should update to at least version 1.00.08AU 20161011.
The Register tried to get in touch with D-Link for comment on the matter, but was unable to get a response. Trustwave didn't fare much better, saying that the bugs were only listed as patched after the researchers told D-Link they were going public with the findings, after waiting months for the router biz to get its act together.
"D-Link’s response to these findings was confusing and unfortunately very typical for organizations that are not set up to accept security problems from third party researchers like Trustwave SpiderLabs," Sigler explained.
The Joy of Six... critical security patches: Cisco small biz switches open to hijacking via web UIREAD MORE
"After an initial response confirming receipt and escalation for these findings, they claimed they were unable to escalate the issue with their R&D group within the 90-day window outlined in our Responsible Disclosure policy. We provided them a rather lengthy extension to that window, but they eventually simply stopped responding entirely."
With Comba, three vulnerabilities were found within the AC2400 Wi-Fi Access Controller and AP2600-IAccess Point. In the first flaw, present in the AC2400, the MD5 hashed password is stored in plaintext in a file anyone can reach by knowing the device's IP address.
The AP2600-I, meanwhile, stores the MD5 hashed password both in the source of the log-in webpage and in a config file, both accessible to anyone who knows the router's IP address.
The Register has yet to receive a response from Comba. Neither did Trustwave, and at the time of writing it appears no fix has been posted. ®