D-Link fixes critical RCE, hardcoded password flaws in WiFi 6 routers


D-Link has fixed critical vulnerabilities in three popular wireless router models that allow remote attackers to execute arbitrary code or access the devices using hardcoded credentials.

The impacted models are popular in the consumer networking market, especially among users looking for high-end WiFi 6 routers (DIR-X) and mesh networking systems (COVR).

The bulletin lists five vulnerabilities, three of which are rated critical, in the following firmware: COVR-X1870 (non-US) firmware versions v1.02 and below, DIR-X4860 (worldwide) on v1.04B04_Hot-Fix and older, and DIR-X5460 (worldwide) running firmware v1.11B01_Hot-Fix or older.

The five flaws and their associated advisories are listed below:

  • CVE-2024-45694 (9.8 critical): Stack-based buffer overflow, allowing unauthenticated remote attackers to execute arbitrary code on the device.
  • CVE-2024-45695 (9.8 critical): Another stack-based buffer overflow allowing unauthenticated remote attackers to execute arbitrary code.
  • CVE-2024-45696 (8.8 high): Attackers can forcibly enable the telnet service using hard-coded credentials within the local network.
  • CVE-2024-45697 (9.8 critical): Telnet service is enabled when the WAN port is plugged in, allowing remote access with hard-coded credentials.
  • CVE-2024-45698 (8.8 high): Improper input validation in the telnet service allows remote attackers to log in and execute OS commands with hard-coded credentials.

To fix the flaws, D-Link recommends customers upgrade to v1.03B01 for COVR-X1870, v1.04B05 for DIR-X4860, and DIR-X5460A1_V1.11B04 for DIR-X5460.

D-Link says it learned of the flaws from the country’s CERT (TWCERT) on June 24 but was not given the standard 90-day period to fix the flaws before they were disclosed.

“When D-Link became aware of the reported security issues, we promptly started investigating and developing security patches,” D-Link stated in its security bulletin.

“The third-party publicly disclosed the problem before the patches were available on our standard 90-day security patch release schedule. We do not recommend that security researchers act in this manner, as they expose end-users to further risks without patches being available from the manufacturer.”

BleepingComputer has not been able to find any previous public disclosure of these vulnerabilities and has contacted D-Link to learn more.

D-Link has not reported any in-the-wild exploitation of the flaws, but as D-Link is commonly targeted by malware botnets, installing the security updates remains crucial.



Source link