Securin (previously CSW) Disclosed 4 Hardcoded Credentials on D-Link Products

Asset and lifecycle management are complex initiatives that organizations should keep pace with as products reach the end of life (EOL) or end of support (EOS) and become obsolete. This obsolescence gives rise to security vulnerabilities that could be exploited by threat actors. 

Cyber Security Works discovered four such vulnerabilities in D-Link Models – CVE-2020-29321, CVE-2020-29322, CVE-2020-29323, and CVE-2020-29324 on August 17,2020.

Detection

Cyber Security researchers have reported telnet hardcoded credentials in four firmware in D-Link models listed below:

  1. D-Link Router DIR-868L-Telnet

  2. D-Link Router DIR-880L-Telnet

  3. D-Link Router DIR-885L-MFC

  4. D-Link Router DIR-895L MFC

Disclosure 

The vulnerability was reported to the vendor on 08/18/2020. The CSW team reported unauthenticated credential disclosure through decompilation of firmware in the following devices –

  1. DIR-868L Rev. C1 – FW v3.01 

  2. DIR-880L Rev. Ax – FW v1.07 

  3. DIR-885L Rev. Ax – FW v1.15b02 

  4. DIR-895L Rev. Ax – FW v1.21b05 

Timeline

Date   Description
August 17,2020 Discovered in our research lab
August 18,2020 Vulnerability reported to Vendor who acknowledged the same
August 20, 2020 Vendor responded saying “elevated to D-Link Corporation
Sep 4, 2020 Follow up
Sep 7, 2020 Vendor responded saying need more time to review and response from R&D  
Sep 10, 2020 Vendor responded with a support announcement

Incident Analysis

Multiple vulnerabilities have been discovered in D-Link models, the most severe of which could allow arbitrary code execution. The status of the devices reported are End of Support (“EOS”), also known as End of Life (“EOL”). As a general policy, when a product reaches EOS/EOL, it can no longer be supported, and all firmware development for the product ceases. Products purchased in the US that have reached EOS/EOL are moved to the Legacy Products site (legacy.us.dlink.com) which is the final archive as of the EOS/EOL date.

Model Region Hardware Revision Last Sales Date End of Support
DIR-868L Globally A1/A2/B1/C1 n/a 06/30/20
DIR-868L Only USA A1 10/31/18 08/07/20
DIR-880L Globally A1/A2 n/a 01/10/19
DIR-880L Only USA A1/A2 02/12/19 08/07/20
DIR-885L/R Globally A1/A2/A3 n/a 01/10/19
DIR-885L/R Only USA A1 02/12/19 08/07/20
DIR-885L/R Globally A1/A2/A3 n/a 01/10/19
DIR-885L/R Only USA A1 12/08/16 08/07/20

Vulnerability Analysis

The telnet hardcoded default credentials are the vulnerable elements in the firmware of DIR-868L, DIR-880L, DIR-885L/R, and DIR-895L/R.

Proof of Concept

Vulnerability Name: Telnet Hardcoded credentials

Severity: High

Steps to Reproduce

Step 1: Extract the firmware

Step 2: Run the command cat etc/init0.d/S80telnetd.sh to get the username and the location of the variable used for storing the password.
Step 3: Run the command cat etc/config/image_sign to get the password

Figure 1: Clear text showing username

Figure 2: The password is printed in the terminal

Exploited D-Link firmware with hardcoded default credentials

Affected Firmware Associated URL Username Password
DIR-868L C1 FW v3.01 https://tsd.dlink.com.tw/downloads-2008detailgo.asp Alphanetworks wrgac35_dlink.2013gui_dir868lc
DIR-880L B08 v1.07 http://legacyfiles.us.dlink.com/DIR-880L/REVA/FIRMWARE/ Alphanetworks wrgac16_dlink.2013gui_dir880
DIR885LA1_FW115b02 https://tsd.dlink.com.tw/downloads-2008detail.asp Alphanetworks wrgac42_dlink.2015_dir885l
DIR895LA1_FW121b05_middle.
magic.v1.15
https://tsd.dlink.com.tw/downloads-2008detailgo.asp Alphanetworks

wrgac40_dlink.2015_dir895l

Impact

The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data.

Recommendations

CSW reported the identified telnet hardcoded credentials in four firmware, which was acknowledged by the D-Link team. They provided a support announcement in response to the recommendations provided by our team for these D-Link products.

Announcement from D-Link

Reference

Zero Days

Share This Post On