silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,154
An vulnerability in D-link firmware powering multiple routers with VPN passthrough functionality allows attackers to take full control of the device.
The bug affects router models DSR-150, DSR-250/N, DSR-500, and DSR-1000AC running firmware version 3.17 or below.
Reported by Digital Defense's Vulnerability Research Team on August 11, the flaw is a root command injection that can be exploited remotely if the device's "Unified Services Router" web interface is reachable over the public internet.
"Consequently, a remote, unauthenticated attacker with access to the router’s web interface could execute arbitrary commands as root, effectively gaining complete control of the router" - Digital Defense
The table below lists vulnerable router models and links to the updated firmware version containing the fix:
Model Hardware Revision Region Affected FW Fixed FW Recommendation Last Updated DSR-150 All Rev. A Hardware Revision Worldwide v3.17 & Below v3.17B401C_WW Download and Update Device 12/02/2020 DSR-150 All Rev. A Hardware Revision Russian v3.17 & Below v3.17B401C_RU Download and Update Device 12/02/2020 DSR-150 All Rev. C Hardware Revision Worldwide v3.17 & Below v3.17B401C_WW Download and Update Device 12/02/2020 DSR-150 All Rev. C Hardware Revision Russian v3.17 & Below v3.17B401C_RU Download and Update Device 12/02/2020 DSR-150N All Rev. A Hardware Revision Worldwide v3.17 & Below v3.17B401C_WW Download and Update Device 12/02/2020 DSR-150N All Rev. A Hardware Revision Russian v3.17 & Below v3.17B401C_RU Download and Update Device 12/02/2020 DSR-150N All Rev. C Hardware Revision Worldwide v3.17 & Below v3.17B401C_WW Download and Update Device 12/02/2020 DSR-150N All Rev. C Hardware Revision Russian v3.17 & Below v3.17B401C _RU Download and Update Device 12/02/2020 DSR-250 All Rev. A Hardware Revisions Worldwide v3.17 & Below v3.17B401C_WW Download and Update Device 12/02/2020 DSR-250 All Rev. A Hardware Revisions Russian v3.17 & Below v3.17B401C_RU Download and Update Device 12/02/2020 DSR-250 All Rev. C Hardware Revision Worldwide v3.17 & Below v3.17B401C_WW Download and Update Device 12/02/2020 DSR-250 All Rev. C Hardware Revision Russian v3.17 & Below v3.17B401C_RU Download and Update Device 12/02/2020 DSR-250N All Rev. A Hardware Revisions Worldwide v3.17 & Below v3.17B401C_WW Download and Update Device 12/02/2020 DSR-250N All Rev. A Hardware Revisions Russian v3.17 & Below v3.17B401C_RU Download and Update Device 12/02/2020 DSR-250N All Rev. B Hardware Revision Worldwide v3.17 & Below v3.17B401C_WW Download and Update Device 12/02/2020 DSR-250N All Rev. B Hardware Revision Russian v3.17 & Below v3.17B401C _RU Download and Update Device 12/02/2020 DSR-250N All Rev. C Hardware Revision Worldwide v3.17 & Below v3.17B401C_WW Download and Update Device 12/02/2020 DSR-250N All Rev. C Hardware Revision Russian v3.17 & Below v3.17B401C_RU Download and Update Device 12/02/2020
D-Link VPN routers get patch for remote command injection bugs
A vulnerability in D-link firmware powering multiple routers with VPN passthrough functionality allows attackers to take full control of the device.
www.bleepingcomputer.com
Last edited: