Security News > 2020 > June > WFH Alert: Critical Bug Found in Old D-Link Router Models
D-Link is urging customers to replace its now obsolete line of DIR-865L Wireless Routers in reaction to a recently discovered critical command-injection bug that leaves users open to a denial-of-service attack.
"The vulnerabilities were found in the DIR-865L model of D-Link routers, which are meant for home network use," researchers wrote.
According to the advisory, the D-Link patch only fixes three bugs found by Unit 42; the cross-site scripting bug, inadequate encryption strength and one of the cleartext storage of sensitive information flaws.
"The web interface for this router is controlled by the backend engine called cgibin.exe. Most requests for web pages are sent to this controller. If a request for scandir.sgi is made, a malicious actor can inject arbitrary code to be executed on the router with administrative privileges," researchers wrote.
Researchers lumped the router into a group of 13 popular SOHO Wi-Fi routers open to some sort of local or remote attack.
News URL
https://threatpost.com/word-from-home-alert-critical-d-link-bug/156573/
Related news
- DrayTek fixed critical flaws in over 700,000 exposed routers (source)
- D-Link won’t fix critical flaw affecting 60,000 older NAS devices (source)
- D-Link won’t fix critical bug in 60,000 exposed EoL modems (source)
- Critical bug in EoL D-Link NAS devices now exploited in attacks (source)
- D-Link urges users to retire VPN routers impacted by unfixed RCE flaw (source)
- D-Link tells users to trash old VPN routers over bug too dangerous to identify (source)