Trustwave security researcher Simon Kenin has discovered multiple bugs in D-Link and Comba routers, which could put users’ passwords and usernames at risk of being accessed by cybercriminals.
Kenin explained that these flaws are serious because a router that’s been taken over by an outside party can “manipulate how your users resolve DNS hostnames to direct your users to malicious websites.”
“An attacker-controlled router can deny access in and out of the network perhaps blocking your users from accessing important resources or blocking customers from accessing your website,” he said.
In D-Link routers, two flaws were discovered in the firmware for the DSL-2875AL and DSL-2877AL wireless ADSL modem/router.
In a post detailing the findings, Trustwave’s Karl Sigler wrote that D-Link’s response to the discovery of the bugs was “confusing and unfortunately very typical for organizations that are not set up to accept security problems from third party researchers like Trustwave SpiderLabs.”
Sigler said Trustwave gave D-Link an extension to its 90-day disclosure window after the firm claimed its team was “unable to escalate the issue” with its R&D group within the initial window of time provided. D-Link eventually deployed firmware updates for both devices (DSL-2875AL, DSL-2877AL) to patch the flaws.
“Users of these routers and access points will want to verify that they are on the most recent firmware and may want to use internal filtering controls or a separate filtering device like a firewall to limit access to the web-based management of these devices to only a small set of authorized IP addresses,” Trustwave said.
Comba router vulnerabilities
The researchers found three vulnerabilities in Comba’s AC2400 Wi-Fi Access Controller and AP2600-IAccess Point.
The flaw found in the AC2400 enabled the MD5 hashed password to be stored in plaintext in a file accessible to anyone who knows the device’s IP address. The AP2600-I flaws leaves the MD5 hashed password stored in the source of the log-in webpage as well as in a config file, leaving them both open to anyone who knows the device’s IP address.
Trustwave said its team reached out to Comba several times, but the company has not yet responded or issued a fix for the vulnerabilities.
“Unfortunately, there is not much in the way of mitigating the Comba Telcom findings,” said Trustwave. “After reaching out multiple times, Comba Telcom was simply unresponsive.”