CISA D-Link Router Vulnerabilities Being Actively Exploited
On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security vulnerabilities affecting D-Link routers to its CISA Known Exploited Vulnerabilities (KEV) catalog due to confirmed active exploitation. Federal agencies are urged to implement vendor-provided mitigations by June 6, 2024, to address these threats. In this article, we’ll uncover the CISA D-Link router vulnerabilities and preventive measures that can be adopted.
Identified CISA D-Link Router Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently highlighted two critical CISA D-Link router vulnerabilities. These vulnerabilities are currently being actively exploited, posing significant risks to network security.
- CVE-2014-100005
This vulnerability is a cross-site request forgery (CSRF) flaw found in D-Link DIR-600 routers. It allows attackers to change the router’s configuration by hijacking an existing administrator session. This exploit can be particularly dangerous as it can be performed without the administrator’s knowledge.
2. CVE-2021-40655
The second vulnerability, CVE-2021-40655, is an information disclosure flaw in D-Link DIR-605 routers. Attackers can exploit this weakness to obtain sensitive information, such as usernames and passwords, by forging an HTTP POST request to the /getcfg.php page.
While specific exploitation methods are not detailed, the urgency for applying the necessary mitigations is clear. Notably, CVE-2014-100005 affects legacy D-Link products that are now end-of-life (EoL), making it crucial for organizations still using these devices to replace them with newer, supported models.
New Vulnerabilities in DIR-X4860 Routers
In addition to these known CISA D-Link router vulnerabilities, the SSD Secure Disclosure team has identified unpatched security flaws in D-Link DIR-X4860 routers. These flaws enable remote unauthenticated attackers to access the HNAP port, gain elevated permissions, and execute commands as root.
By combining an authentication bypass with command execution, attackers can fully compromise the device. These vulnerabilities affect routers running firmware version DIRX4860A1_FWV1.04B03.
SSD Secure Disclosure has also released a proof-of-concept (PoC) exploit demonstrating how a specially crafted HNAP login request can bypass authentication protections and achieve code execution through a command injection vulnerability.
D-Link has acknowledged these issues in a bulletin, noting that a fix is currently “Pending Release / Under Development.” The company describes the vulnerability as a LAN-side unauthenticated command execution flaw, highlighting the need for a timely resolution.
Ivanti Endpoint Manager Mobile (EPMM) Flaw
Cybersecurity researchers have also released a PoC exploit for a new vulnerability in Ivanti’s Endpoint Manager Mobile (EPMM), identified as CVE-2024-22026, with a CVSS score of 6.7. This flaw permits an authenticated local user to bypass shell restrictions and execute arbitrary commands on the appliance. Remote Code Execution (RCE) vulnerabilities allow attackers to run malicious code on a targeted system, potentially leading to severe security breaches.
Exploit Details
Media reports say that according to Redline Cyber Security’s Bryan Smith, this vulnerability allows a local attacker to gain root access to the system by exploiting the software update process with a malicious RPM package from a remote URL.
The issue arises from inadequate validation in the EPMM command-line interface’s installation command, which can retrieve an arbitrary RPM package from a user-provided URL without verifying its authenticity.
CVE-2024-22026 affects all versions of EPMM before 12.1.0.0. Additionally, Ivanti has patched two other SQL injection flaws in the same product, identified as CVE-2023-46806 and CVE-2023-46807, both with CVSS scores of 6.7. These vulnerabilities could allow an authenticated user with the appropriate privileges to access or modify data in the underlying database.
While there is no current evidence of exploitation of these CISA D-Link router vulnerabilities, users are strongly advised to update to the latest version to mitigate potential threats.
Router Security Best Practices
These developments underscore the critical importance of regular threat intelligence updates, patch management, and vigilant security practices. Organizations using affected D-Link routers should prioritize replacing outdated devices and applying all recommended router security patches. For those using Ivanti EPMM, immediate updates to the latest versions are essential to safeguard against the exploitation of these CISA D-Link router vulnerabilities.
Network Defense Strategies
Ensuring robust Internet of Things (IoT) security is crucial as more devices become interconnected and integrated into daily operations. Using automated patching solutions ensures that your systems stay up-to-date with the latest security patches, keeping your business compliant and secure.
Conclusion
The recent CISA alert highlights the need for heightened awareness and prompt action in addressing security vulnerabilities in network devices. Organizations should promptly replace any end-of-Life (EOL) routers to ensure they are not exposed to unpatched security vulnerabilities. By staying informed and proactive, organizations can protect their systems and ensure business continuity.
The sources for this piece include articles in The Hacker News and Security Affairs.