D-Link wireless modems found to leak passwords

Trustwave's Spiderlabs has uncovered credential leaking vulnerabilities in D-Link wireless ADSL2+ modem routers that are "widely available in Australia".

D-Link DSL-2877AL

Researcher Simon Kenin found that the discontinued D-Link DSL-2875AL wireless ADSL2+ modem leaks passwords through its web-based management interface.

Anyone with local network access can simply use a web browser to view the romfile.cfg file stored on the router, without any authentication required. The file contains the password to the device in clear text.

Similarly, the DSL-2875AL leaks user credentials via the hyper text markup language source for the router login page.

By searching for the username_v and password_v variables in the index.asp page, an attacker on the local network can get the login credentials to subscribers' internet provider accounts.

Trustwave - which is owned by Singtel - says the vulnerabilites are serious as they allow attackers to control the routers over which all user data travels to their internet providers.

The security vendor reported the vulnerabilties to D-Link, but said the router vendor's response was "confusing and unfortunately very typical for organisations not set up to accept security problem [reports] from third party researchers."

D-Link was given a 90-day period of time before publication of the vulnerabilites by Trustwave, as part of the company's responsible disclosure policy, and initially said it would escalate the issue with its reseach and development group.

Trustwave extended the deadline after D-Link said it could not escalate the issue, and eventually stopped responding to Trustwave altogether.

Ahead of publication of the vulnerabilities, D-Link told Trustwave that it had issued patches for the flaws. 

"While it’s always good to hear that vulnerabilities have been patched (that is our goal after all) it sometimes takes the leverage of full disclosure to force organisations to scramble to do in one week what nine months of good faith outreach could not," Trustwave's Kenin said.

New firmware is available for the DSL-2875AL and the DSL-2877AL but D-Link has so far not published details on how it has fixed the vulnerabilities.

The firmware along with other updates is accessed from D-Link's support site via the plain-text HTTP web page protocol, and not the secure, encrypted HTTPS.

Update, 11/9 at 1.30pm:

A D-Link spokesperson told iTNews that the vulnerabilities were not present in newer devices sold in Australia, and were taken care of three years ago for the older router.

"DSL-2877AL is still selling although on in its last legs now, however, we released the product with firmware version 1.00.06, which was above the version where they have found these vulnerabilities (1.00.01 and 1.00.05)," the spokesperson said.

"Essentially, they never shipped into Australia with this issue".

The spokesperson said that the DSL-2875AL device has been discontinued for more than 12 months now, but the security issue Trustwave reported was patched in 2016.

D-Link Australia also alleged that the security reseachers had never reached out to them.

Trustwave SpiderLabs senior threat intelligence manager Karl Sigler shot back saying D-Link had nine months to say that its researcher may have found a vulnerability in a router that simply hadn’t been updated, but didn’t do so.

"They also had nine months to tell us those models are Australia-only and connect us with the D-Link Australia team but didn’t,” Sigler said.

"If our researcher found vulnerabilities in a router that simply hadn’t been updated, why couldn’t they simply tell us back in January? Instead it was D-Link that put the issue in R&D’s queue and led us to believe that they were 'working on it'."

Sigler insisted the communications breakdown was at D-Link’s end and that it would affect “any other vulnerability researcher trying to submit bugs to the company." 

"We should not be held accountable for their own internal confusion and communication breakdown,” Sigler said.