Posted on Full Disclosure, security professionals and students from Search Labs and the Universidad Europea de Madrid exposed a number of security vulnerabilities in D-Link devices used within the enterprise, as well as and SOHO routers commonly found in households.
The release follows the exposure of a NetUSB flaw, revealed in May, which leaves potentially millions of routers and Internet of Things (IoT) devices used in households vulnerable to hijacking. As more security problems are discovered in such devices and revealed in the public domain, the need for vendors to invest more in home product security — and the need for the general public to change default settings — is highlighted.
In addition, the enterprise is placed at risk if they use devices with out-of-date firmware which contains vulnerabilities, and such weaknesses in the chain can place an entire corporate network at risk by acting as a conduit for cyberattacks.
Search Lab, based in Budapest, Hungary, performed an independent assessment on four different D-Link devices. In total, 53 unique vulnerabilities were identified in the latest firmware used in these devices, which was last updated in 2014.
According to the team, the affected devices include the D-Link DNS-320 ShareCenter 2-Bay Network Storage Enclosure, the DNS-320L cloud enclosure, the D-Link DNS-327L ShareCenter and DNR-326 2-Bay Professional Network Video Recorder (NVR), among others.
Several vulnerabilities allow remote attackers to execute arbitrary code. According to the team, the firmware’s security holes allow for attackers to take full control over a device, and “half-baked security workarounds” within the firmware — included to fix previous vulnerabilities — contain problems of their own; leading to “even more serious problems.”
“Even though there were several security patches and workarounds in the session management part of the code, where we still found serious problems. It was still possible to perform unauthenticated file upload to an arbitrarily chosen location, which also lead to the possibility for an attacker to take full control over the device,” the team says.