More D-Link Routers Vulnerable to Remote Command Execution

• Ten D-Link routers are vulnerable to remote code execution, and it’s not going to get fixed.
• The models are no longer supported by the manufacturer, but they are still sold online.
• An attacker could plant malware, indulge in traffic snooping, or perform a complete system takeover.

According to Fortinet and its team in the FortiGuard Labs, there’s a severe vulnerability that plagues ten D-Link router models, allowing a malicious actor to execute commands remotely. The exploitation of the particular flaw is based on the CGI (Common Gateway Interface) that is present in several D-Link routers, which is a simple interface for running external programs, software, or gateways. According to the researchers, the CGI code contains two flaws, namely one that exposes it to unauthenticated users, and one that fails to handle newline characters.

An actor can write arguments after a newline character in a POST to the CGI binary, and these will be executed on the device with root privileges. The attacker needs no authentication to perform the HTTP POST request to the router device, and the only prerequisite would be to somehow take the victim to a specially-crafted web page. This flaw is given the identifier “CVE-2019-16920” and a CVSS 3.1 rating of 9.8 (critical). That is because the command injection can lead to full system compromise, while the method remains relatively simple.

If you have been following the news here, you must remember that we had already warned you about the RCE flaws that concerned four models of D-Link routers. More investigation led to the discovery of another six problematic models, so here is the full list of products that you should avoid buying or using:

• DIR-655
• DIR-866L
• DIR-652
• DHP-1565
• DIR-855L
• DAP-1533
• DIR-862L
• DIR-615
• DIR-835
• DIR-825

The reason why this issue is considered unsolvable is that D-Link no longer supports these devices, so they are not planning to release any security patches for them. Their official recommendation is that the customers should replace the devices with one in their newest lines. However, D-Link routers that belong in the list above are still sold in online or physical shops, so it is very possible that people are still buying them as new.

Now that all of this information has been made public, malicious actors will be actively searching for these models, trying to infect them with data-exfiltrating malware, server backdoors, and even conduct network exploration and propagation through them. That said, if you’re still using one of the aforementioned ten D-Link router models, it is absolutely urgent that you replace them with a newer and safer model immediately.

Do you accept D-Link’s decision not to push a firmware update for these unsupported models, or should they have a different approach on the matter? Let us know where you stand in the comments down below, or join the discussion on our socials, on Facebook and Twitter.