Jump to content
  • D-Link says it is not fixing four RCE flaws in DIR-846W routers


    Karlston

    • 314 views
    • 3 minutes
     Share


    • 314 views
    • 3 minutes

    D-Link is warning that four remote code execution (RCE) flaws impacting all hardware and firmware versions of its DIR-846W router will not be fixed as the products are no longer supported.

     

    The four RCE flaws, three of which are rated critical and do not require authentication, were discovered by security researcher yali-1002, who released minimal details in their GitHub repository.

     

    The researcher published the information on August 27, 2024, but has withheld the publication of proof-of-concept (PoC) exploits for now.

     

    The flaws are summarized as follows:

     

    • CVE-2024-41622: Remote Command Execution (RCE) vulnerability via the tomography_ping_address parameter in the /HNAP1/ interface. (CVSS v3 score: 9.8 "critical")
    • CVE-2024-44340: RCE vulnerability via the smartqos_express_devices and smartqos_normal_devices parameters in SetSmartQoSSettings (authenticated access requirement reduces the CVSS v3 score to 8.8 "high").
    • CVE-2024-44341: RCE vulnerability via the lan(0)_dhcps_staticlist parameter, exploitable through a crafted POST request. (CVSS v3 score: 9.8 "critical")
    • CVE-2024-44342: RCE vulnerability via the wl(0).(0)_ssid parameter. (CVSS v3 score: 9.8 "critical")

     

    Though D-Link acknowledged the security problems and their severity, it noted that they fall under its standard end-of-life/end-of-support policies, meaning there will be no security updates to address them.

     

    "As a  general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease," reads D-Link's announcement.

     

    "D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it," adds the vendor further down in the bulletin.

     

    It is noted that DIR-846W routers were sold primarily outside the U.S., so the impact of the flaws should be minimal in the States, yet still significant globally. The model is still sold in some markets, including Latin America.

     

    Though DIR-846 reached the end of support in 2020, over four years ago, many people only replace their routers once they face hardware problems or practical limitations, so a lot of people could still use the devices.

     

    D-Link recommends that people still using the DIR-846 retire it immediately and replace it with a currently supported model.

     

    If that is impossible, the hardware vendor recommends that users ensure the device runs the latest firmware, use strong passwords for the web admin portal, and enable WiFi encryption.

     

    D-Link vulnerabilities are commonly exploited by malware botnets, such as Mirai and Moobot, to recruit devices into DDoS swarms. Threat actors have also recently exploited a D-Link DIR-859 router flaw to steal passwords and breach devices.

     

    Therefore, securing the routers before proof-of-concept exploits are released and abused in attacks is vital.

     

    Source


    RIP Matrix | Farewell my friend  :sadbye:

     

    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every single day for many years.

    2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...