6 new vulnerabilities with D-Link home routers allow hackers to launch remote attacks

Palo Alto Networks security researchers have discovered six new vulnerabilities with the D-Link wireless home router that allows attackers to launch remote attacks.

The vulnerabilities detected with the DIR-865L model of D-Link routers are mainly used in domestic environments. In the current situation where we work from home, these vulnerabilities can pose serious threats.

Researchers have absorbed six of these vulnerabilities with the latest firmware models. Combining vulnerabilities can pose significant risks.

CVE-2020-13782

The vulnerabilities live in the router’s web interface controller, an attacker with authentication or with an active session cookie may inject arbitrary code to be executed in administrative privileges.

CVE-2020-13782
CVE-2020-13782

CVE-2020-13786

Multiple router web interface web pages vulnerable to CSRF. Allows an attacker to sniff web traffic and access password-protected web interface pages.

CVE-2020-13785

Data transferred with the SharePort Web Access portal on port 8181 is not encrypted, allowing an attacker to determine the password.

CVE-2020-13785
CVE-2020-13785

CVE-2020-13784

The generation of session cookies is predictable; an attacker can decide the session cookie simply by knowing the user’s access time.

CVE-2020-13783

Login credentials are stored in plain text, an attacker must have physical access to steal passwords.

CVE-2020-13783
CVE-2020-13783

CVE-2020-13787

If the administrator selects WEP (Wired Equivalent Privacy) which was deprecated in 2004 for the guest wifi network, the passwords will be sent in clear text.

The combination of all these vulnerabilities allows attackers to execute arbitrary commands, exfiltrate data, load malware, delete data or steal user credentials, reads in the Paloalto blog post.

D-Link has corrected vulnerabilities with the router, users are advised to update with the latest firmware to correct the vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *