D-Link fixed five critical and high-severity vulnerabilities in home Wi-Fi routers, including two buffer overflow flaws enabling remote code execution (RCE) and flaws involving hidden hard-coded credentials that could be exploited by attackers.
The Taiwan-based company released an advisory Monday addressing all five flaws, noting that the issues were reported by the Taiwan Computer Emergency Response Team (TWCERT) on June 8.
Two of the most severe flaws, tracked as CVE-2024-45694 and CVE-2024-45695, which have critical CVSS scores of 9.8, are both stack-based buffer overflow flaws that could enable an unauthenticated attacker to achieve RCE.
CVE-2024-45694 affects the Wi-Fi 6 router models DIR-X4860 and DIR-X5460, which are sold globally and marketed for home use, while CVE-2024-45695 only affects the DIR-X5460. The affected firmware versions are DIR-X4860 A1 version 1.00 and 1.04, and DIR-X5460 AI version 1.01, 1.02, 1.04 and 1.10.
Users should upgrade to DIR-X4860 A1 firmware version 1.04B05 or later and DIR-X5460 A1 firmware version 1.11B04 or later in order to prevent RCE.
D-Link hidden features, hard-coded credentials risk exploitation
The other three D-Link vulnerabilities involve hard-coded credentials in the DIR-X4860 router, as well as the COVR-X1870 dual band mesh Wi-Fi 6 router, which is a discontinued product but still receives security updates.
A critical flaw tracked as CVE-2024-45697, with a CVSS score of 9.8, stems from a hidden functionality in the DIR-X4860 that enables telnet service when the wide area network (WAN) port is plugged in and could enable an attacker to log in using hard-coded credentials. The attacker could leverage this vulnerability and the unauthorized access it affords to execute operating system (OS) commands.
CVE-2024-45697 affects DIR-X4860 A1 firmware versions 1.00 and 1.04 and is fixed by upgrading to version 1.04B05 or later.
The last two vulnerabilities, tracked as CVE-2024-45696 and CVE-2024-45698, both have high CVSS scores of 8.8. CVE-2024-45696 affects both DIR-X4860 (versions 1.00 and 1.04) and COVR-X1870 firmware versions 1.02 or earlier. In this case, a hidden functionality in the routers enables an attacker to enable the telnet service by sending specific packets to the web service.
Once the telnet service is enabled, the attacker can use hard-coded credentials to log in; however, the attacker would need to be on the same local network as the victim for this attack to work. Users can resolve this flaw by updating to firmware versions 1.04B05 or later for the DIR-X4860 and 1.03B01 or later for the COVR-X1870 model.
CVE-2024-45698 affects DIR-X4860 firmware versions 1.00 and 1.04, which do not properly validate user input in the telnet service and enable arbitrary OS command injection by attackers who log in using hard-coded credentials. The upgrade to DIR-X4860 A1 version 1.04B05 or later also resolves this issue.
D-Link’s advisory stated that TWCERT “publicly disclosed the problem before the patches were available on our standard 90-day security patch release schedule.”
When SC Media reached out to D-Link for clarification, a spokesperson said TWCERT “shared the embargoed information” on June 8, 2024, and that D-Link shared the fixes with TWCERT prior to Sept. 9, after which TWCERT “scheduled the public disclosure for Sept. 16, 2024, which we followed at their request of public disclosure prior to our post.”
The D-Link spokesperson referenced a “90-day MAX mitigation cycle” but it is unclear whether the 90 days were meant to begin once the patch was shared with TWCERT or once the issues were first reported to D-Link by TWCERT in June.
SC Media requested additional clarification and the D-Link spokesperson emphasized again that “TWCERT set the release date to the 16th based on feedback from D-Link Corporation” without providing further details how the 90-day schedule was allegedly not followed.
D-Link routers are common targets for threat actors, with 20 D-Link vulnerabilities currently included in the Cybersecurity & Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. Most recently, two older vulnerabilities in end-of-life D-Link routers were added to the catalog in May 2024.