The Cybersecurity and Infrastructure Security Agency (CISA) on May 16 added two end-of-life D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog, pointing out that security teams should patch immediately and retire the devices if possible because the bugs were exploited in the wild.
CISA said the first bug — CVE-2014-100005 — was on D-Link DIR-600 routers that contained a cross-site request forgery (CSRF) flaw that lets attackers change router configurations by hijacking an existing administrator session.
The second D-Link vulnerability — CVE-2021-40655 — affected D-Link DIR-605 routers that contain an information disclosure vulnerability that lets attackers obtain a user name and password by forging a post request to the /getcfg.php page.
Sarah Jones, cyber threat intelligence research analyst at Critical Start, said exploiting CVE-2014-100005 lets attackers grant unauthorized access to modify network configurations, potentially redirecting traffic, blocking legitimate access, or even launching attacks on other devices.
Jones added that CVE-2021-40655 lets attackers steal usernames and passwords in plain text from D-Link DIR-605 routers. Attackers could use these stolen credentials to gain access to the router's settings or other accounts that reuse the same login information.
“The urgency for patching stems from the confirmed exploitation of these vulnerabilities and their apparent ease of use,” said Jones. “Security teams should prioritize addressing these issues immediately. In the case of CVE-2014-100005, since it affects unsupported devices, replacing the outdated routers altogether is the recommended course of action.”
Casey Ellis, founder and chief strategy officer at Bugcrowd, explained that these vulnerabilities affect hardware that are essentially home or SOHO network devices. So, it’s important to remember that if jt’s possible for an attacker to modify a router configuration, they can then establish core persistence and basically own the entire network behind that router.
“We first saw malware exploiting this phenomenon early in the pandemic, during the shift to work-from-home,” said Ellis. “Post-pandemic, hybrid and work-from-home are still common practice across the globe, which makes the home network a predictable extension of the corporate attack surface, making the routers of these networks an attractive and sensible target for a wide variety of threat actors.”