Kaspersky found a backdoor account and security flaws in D-Link DIR-620 Routers

Researchers at Kaspersky Lab stated on Wednesday that they discovered four security flaws in the firmware of the D-Link DIR-620 router, including a hard-coded backdoor account (CVE-2018-6213, CVSS v3). Rating: 6.1), allowing an attacker to take over any vulnerable router that is accessible via the Internet.

The researchers stated that the backdoor account grants an attacker access to the router’s Web administration panel. In addition, because the default login credentials are hard-coded, the router owner cannot modify the login credentials and cannot disable the account. Access to the router web management panel means that an attacker is allowed to extract sensitive data, such as a configuration file using a plain text password.

In order to prevent abuse, researchers did not disclose the username and password of the back door account. It also stated that the only way to protect the router from hackers is to prevent the router from exposing its management panel on the WAN interface, as this would allow it to be publicly accessible via the Internet.

Among the other three vulnerabilities, CVE-2018-6212 (CVSS v3 score: 6.5) was described as a vulnerability that could lead to cross-site scripting attacks (XSS) due to the failure of filtering of special characters in fields and the XMLHttpRequest object’s Caused by error handling.

The other two vulnerabilities, CVE-2018-6211 (CVSS v3 Scoring: 9.1) and CVE-2018-6210 (CVSS v3 Scoring: 10.0), are classified as high-risk vulnerabilities because they allow attackers to easily access and take over the vulnerability. Attacked routers. The former is described as an operating system command injection vulnerability, which is caused by parameter processing. The latter is described as a vulnerability that allows an attacker to recover Telnet certificates. By using the default credentials of Telnet, an attacker can gain administrative access to the router.

Kaspersky Lab tested several firmware versions of the DIR-620 and found that they were all affected by the four vulnerabilities to varying degrees. Specifically, the affected firmware versions include V1.0.3, V1.0.37, V1.3.1, V1.3.3, V1.3.7, V1.4.0, and V2.0.22.

Unfortunately, D-Link stated that they do not plan to issue new firmware updates for this older router model unless one of the ISPs proposes a security update for these devices. In this case, Kaspersky Lab offers the following suggestions:

  • Restrict any access to the web dashboard using a whitelist of trusted IPs
  • Restrict any access to Telnet
  • Regularly change your router admin username and password