A hidden backdoor vulnerability has been discovered in several D-Link router models, potentially allowing unauthenticated attackers on a local network to gain elevated access.
The flaw, identified as CVE-2024-6045 and rated with a high severity score of 8.8 by the Taiwanese CERT (TWCERT), affects a wide range of D-Link models, including the E15, E30, G403, G415, G416, M15, M18, M30, M32, M60, R03, R04, R12, R15, R18, and R32.
Backdoor details
The backdoor was initially reported by a security researcher using the moniker “raymond” and made public on June 17, 2024. The issue centers around an undisclosed factory testing backdoor left open in the firmware of the affected devices. This backdoor can be exploited by accessing a specific URL, which in turn forces the device to enable its Telnet service. Attackers can then use hardcoded administrator credentials, obtainable through firmware analysis, to gain unauthorized access to the router.
Telnet is a network protocol used for remotely accessing computers and network devices. It operates on a command-line interface, allowing users to control the target device as if they were directly connected to it. While useful for legitimate administrative tasks, if enabled by an attacker, Telnet can be used to execute arbitrary commands, change configurations, and potentially further compromise the network.
The hardcoded credentials are embedded within the router's firmware. They are relatively easy to find for anyone with moderate technical skills and access to the device's firmware. By downloading the firmware and performing a basic reverse engineering process, attackers can extract the credentials and use them to gain unauthorized access via the enabled Telnet service. Of course, malicious actors don't need to do the reverse engineering themselves, as this information is available online by others who have done it.
Impact and mitigation
D-Link has acknowledged the issue and released firmware updates to address the vulnerability. The affected models are part of the EAGLE PRO AI Family and AQUILA PRO AI Family, impacting both residential and small business environments. To mitigate the risk, users are advised to update their firmware to the latest versions as listed below:
- G403, G415, G416, M18, R03, R04, R12, R18: Update to version 1.10.01 or later
- E30, M30, M32, M60, R32: Update to version 1.10.02 or later
- E15, R15: Update to version 1.20.01 or later
Important firmware updates are automatically pushed to devices, but users can manually check and apply updates through the D-Link Device Mobile application or the device's web interface. Detailed instructions and download links are available on D-Link's support page.
Users should ensure that their devices are running the latest firmware version and disable the Telnet service if it has been activated on devices. For critical environments, it is recommended to implement network segmentation and monitor network traffic closely to catch unauthorized access attempts.
Suspected Scattered Spider Leader Arrested at Spanish Airport
Leave a Reply