D-Link has begun to push out firmware updates for some of its home routers, to address three separate vulnerabilities that could allow remote code injection via access to the local area network, perform DNS hijacking, or exploit chipset utilities in the router firmware that expose configuration information.
The company said in an advisory that it will release several updates between now and March 10.
The most critical flaw is a “ping” issue, which opens the door for all kinds of nefarious activity, according to the researchers that first discovered it.
“The D-Link DIR636L (possibly others) incorrectly filters input on the ‘ping’ tool which allows an attacker to inject arbitrary commands into the router,” said Tiago Caetano Henriques of Swisscom, who discovered the main issue back in November. “Secondly, authentication is not being performed correctly. This enables a remote attacker to gain full control of the router, for example to attack other networks in a DDoS style attack, or even expose computers behind these devices to the internet as you are able to change firewall/NAT rules on this router.”
The flaw was also discovered independently by researcher Peter Adkins in January. He added, “Due to the nature of the the ping.ccp vulnerability, an attacker can gain root access, hijack DNS settings or execute arbitrary commands on these devices with the user simply visiting a webpage with a malicious HTTP form embedded (via CSRF),” Adkins explained.
CSRF stands for cross-site request forgery, which is a type of attack that occurs when a malicious website, email, blog, instant message or program causes a user's web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
D-Link users should apply the security patches as they come out. Home routers are always a popular target for hackers, as default passwords and generally lax patching and security practices among non-tech-savvy consumers are all too common.