Backdoor Account Found in D-Link DIR-620 Routers

[steven36]

Security researchers have found a backdoor account in the firmware of D-Link DIR-620 routers that allows hackers to take over any device reachable via the Internet.

 

 

Discovered by Kaspersky Lab researchers, this backdoor grants an attacker access to the device's web panel, and there's no way in which device owners can disable this secret account.

The only way to protect devices from getting hacked is to avoid having the router expose its admin panel on the WAN interface, and hence, reachable from anywhere on the Internet.

To prevent abuse, Kaspersky researchers have refrained from disclosing the backdoor's account username and password.

 

 

One other vulnerability can disclose Telnet credentials

The backdoor account (CVE-2018-6213) is just one of four vulnerabilities Kaspersky researchers found in the firmware of these devices following a recent security audit. The other three flaws include:

Quote

CVE-2018-6210 - a vulnerability that lets attackers recover Telnet credentials
 CVE-2018-6211 - a flaw that lets attackers execute OS commands via one of the admin panel's URL parameters
CVE-2018-6212 - a reflected cross-site scripting (XSS) vulnerability in the router's "Quick Search" admin panel field

 

Both CVE-2018-6210 and CVE-2018-6213 are considered dangerous flaws as they allow attackers easy access to the device.

 

Not that many devices left around to exploit

The good news is that D-Link DIR-620 devices are older router models and there aren't that many around to exploit.

 

Most of these devices were deployed by Russian, CIS, and Eastern European ISPs as on-premise equipment provided to broadband customers.

 

The vast majority of these devices are located in Russia, and Kaspersky said it already contacted ISPs to inform them of the issue.

 

Shodan searches for these devices reveal less than 100 DIR-620 routers available online, showing that most ISPs have headed Kaspersky's warnings and restricted access to these devices on their networks.

D-Link won't release firmware updates for such an old device

Kaspersky experts said they've also contacted D-Link about the discovered issues, but the company said it did not intend to issue new firmware updates for such an older model unless one of the ISPs it has as an enterprise customer specifically request a security update for these devices.

 

Researchers said they tested the following DIR-620 firmware versions and found that they included the four flaws, in various degrees:

Quote

1.0.3
1.0.37
1.3.1
1.3.3
1.3.7
1.4.0
2.0.22

 

Source

[DKT27]

If one sees the amount of routers which still use default username and passwords, I doubt anyone needs any such security vulnerabilities to exploit them.