A significant security vulnerability has been reported in the DAP-2310, specifically affecting Hardware Revision A with Firmware version 1.16RC028.
Hahna Latonick of Dark Wolf Solutions identified the vulnerability, which has been named “BouncyPufferfish.” It exploits a stack-based buffer overflow in the ATP binary that handles PHP HTTP requests for the Apache HTTP Server running on the device.
D-Link has announced that the DAP-2310 Wireless Access Point, along with all its hardware revisions, has officially reached its End-of-Life (EOL) and End-of-Service (EOS) status. This means that the device will no longer receive support or firmware updates.
D-Link strongly advises users to retire and replace these devices to ensure network security and performance.
Security Vulnerability Discovered
This vulnerability allows for unauthenticated remote code execution (RCE), enabling attackers to execute arbitrary shell commands on the device.
The exploit is triggered by a crafted HTTP GET request, which manipulates the buffer overflow to execute a Return-Oriented Programming (ROP) chain, ultimately calling the system() function.
The vulnerability affects all hardware revisions of the DAP-2310 model worldwide. The device reached its end of support on November 30, 2021, and the last update was provided on July 9, 2024.
Recommendations for Users
D-Link emphasizes the importance of replacing EOL/EOS devices to mitigate security risks. The company advises users who continue to use the DAP-2310 against recommendations to take the following precautions:
- Ensure the device is running the latest available firmware.
- Regularly update the device’s unique password for web configuration access.
- Enable Wi-Fi encryption with a unique password to protect the network.
As technology evolves, older devices like the DAP-2310 become more susceptible to vulnerabilities and are no longer supported by manufacturers. Users are encouraged to upgrade to newer, more secure devices to maintain the integrity and security of their networks. For further guidance on suitable replacements, users should contact their regional D-Link office.
Download Free Incident Response Plan Template for Your Security Team – Free Download