A security researcher from Trustwave has discovered vulnerabilities in several D-Link and Comba routers which could make it easy for cybercriminals to see usernames and passwords stored on the devices.
Trustwave SpiderLabs’ Simon Kenin found a total of five security flaws, two in D-Link routers and three in multiple Comba Telecom routers, that have the potential to affect every user and system connected to the network. Kenin explained why these vulnerabilities are so serious in a blog post detailing his findings, saying:
“An attacker-controlled router can manipulate how your users resolve DNS hostnames to direct your users to malicious websites. An attacker-controlled router can deny access in and out of the network perhaps blocking your users from accessing important resources or blocking customers from accessing your website.”
The first D-Link vulnerability affects the D-Link DSL-2875AL dual band modem. This router contains a password disclosure vulnerability that allows anyone with access to the web-based management IP address to access passwords stored there in clear text without authentication. The second vulnerability also affects this model, as well as DSL-2877AL, and it could allow an attacker to access the ISP account or the router itself if admins reused the same credentials.
Three vulnerabilities were found in the Comba AC2400 Wi-Fi Access Controller and the Comba AP2600-I WiFi Access Point. An easily reversed MD5 hash of the device password of the first router was found stored in a configuration file while the second router contained two vulnerabilities: a double MD5 hased version of the username and password for the device was discovered in the source code of the login page and a database was found to be used to store the username and password in plain text.
Trustwave reached out to both D-Link and Comba about the vulnerabilities it discovered though both companies seemed reluctant to patch the issues. D-Link was given an extension to Trustwave’s 90-day disclosure window after the company said it needed more time to address the vulnerabilities though it eventually ended communication with the firm. Luckily, D-Link did end up releasing updated firmware for both devices (DSL-2875AL, DSL-2877AL) to patch the vulnerabilities.
Comba on the other hand, was unresponsive after Trustwave reached multiple times and the company has yet to address the vulnerabilities in its devices.