Asset and lifecycle management are complex initiatives that organizations should keep pace with as products reach the end of life (EOL) or end of support (EOS) and become obsolete. This obsolescence gives rise to security vulnerabilities that could be exploited by threat actors.
Cyber Security Works discovered four such vulnerabilities in D-Link Models – CVE-2020-29321, CVE-2020-29322, CVE-2020-29323, and CVE-2020-29324 on August 17,2020.
Cyber Security researchers have reported telnet hardcoded credentials in four firmware in D-Link models listed below:
D-Link Router DIR-868L-Telnet
D-Link Router DIR-880L-Telnet
D-Link Router DIR-885L-MFC
D-Link Router DIR-895L MFC
The vulnerability was reported to the vendor on 08/18/2020. The CSW team reported unauthenticated credential disclosure through decompilation of firmware in the following devices –
DIR-868L Rev. C1 – FW v3.01
DIR-880L Rev. Ax – FW v1.07
DIR-885L Rev. Ax – FW v1.15b02
DIR-895L Rev. Ax – FW v1.21b05
|August 17,2020||Discovered in our research lab|
|August 18,2020||Vulnerability reported to Vendor who acknowledged the same|
|August 20, 2020||Vendor responded saying “elevated to D-Link Corporation|
|Sep 4, 2020||Follow up|
|Sep 7, 2020||Vendor responded saying need more time to review and response from R&D|
|Sep 10, 2020||Vendor responded with a support announcement|
Multiple vulnerabilities have been discovered in D-Link models, the most severe of which could allow arbitrary code execution. The status of the devices reported are End of Support (“EOS”), also known as End of Life (“EOL”). As a general policy, when a product reaches EOS/EOL, it can no longer be supported, and all firmware development for the product ceases. Products purchased in the US that have reached EOS/EOL are moved to the Legacy Products site (legacy.us.dlink.com) which is the final archive as of the EOS/EOL date.
|Model||Region||Hardware Revision||Last Sales Date||End of Support|
The telnet hardcoded default credentials are the vulnerable elements in the firmware of DIR-868L, DIR-880L, DIR-885L/R, and DIR-895L/R.
Proof of Concept
Vulnerability Name: Telnet Hardcoded credentials
Steps to Reproduce
Step 1: Extract the firmware
Step 2: Run the command cat etc/init0.d/S80telnetd.sh to get the username and the location of the variable used for storing the password.
Step 3: Run the command cat etc/config/image_sign to get the password
Figure 1: Clear text showing username
Figure 2: The password is printed in the terminal
Exploited D-Link firmware with hardcoded default credentials
|Affected Firmware||Associated URL||Username||Password|
|DIR-868L C1 FW v3.01||https://tsd.dlink.com.tw/downloads-2008detailgo.asp||Alphanetworks||wrgac35_dlink.2013gui_dir868lc|
|DIR-880L B08 v1.07||http://legacyfiles.us.dlink.com/DIR-880L/REVA/FIRMWARE/||Alphanetworks||wrgac16_dlink.2013gui_dir880|
The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data.
CSW reported the identified telnet hardcoded credentials in four firmware, which was acknowledged by the D-Link team. They provided a support announcement in response to the recommendations provided by our team for these D-Link products.