Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Critical Vulnerabilities on the D-Link DIR-2640 Router

High

Synopsis

Default password on Quagga Service (CVE-2021-20132)

CVSSv3 Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Base Score 8.8)

D-Link's DIR-2640 router, with the latest firmware (1.11B02) enables the Quagga network configuration services by default, with /sbin/zebra listening on tcp port 2601 and /sbin/ripd listening on tcp port 2602. These services are configured to use a default password for both accessing the command line interface and escalating privileges with the enable command. This password can be easily discovered, and used to gain complete control of both services, each of which are running with root privileges (that is, as the admin user, with UID 0).

Arbitrary file read and denial of service (CVE-2021-20133)

CVSSv3 Vector: AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H (Base Score 6.1)

An attacker can read a large portion of any text file on the filesystem (since the daemon runs with root privileges) by dropping into the configuration terminal interface and then setting the path for the "message of the day" banner to any file on the system. A sensitive file such as /etc/passwd can be declared the "message of the day" in this fashion, and read by the attacker when they next connect to the service.

This will set the "message of the day" banner to contents of /etc/passwd. By logging back in, the attacker can retrieve the contents of the file. Long filess may be displayed only in part, and binary data will likely be corrupted, but reasonably short text files in the ASCII encoding can be read in their entirety in this fashion.
Reading the /etc/passwd file.
If the attacker sets the "message of the day" path to a special device such as /dev/urandom, then they can bring about a denial of service to the Quagga cli interface.

Arbitrary file append (CVE-2021-20134)

CVSSv3 Vector: AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (Base Score 8.4)

An attacker can append to any file they wish in the Quagga command line interface by, again, entering the configuration terminal and then setting the path for the log file to any file they wish on the system. They can then issue a log message with the command logmsg alerts, which will be appended to the end of that file, following a short prefix. By appending to the end of a shell script, for instance, the attacker can achieve remote code execution as root (i.e., "admin"), so long as they are able to either trigger the execution of that script, or wait until the script is executed. This technique can be used to install a backdoor on the router.
Appending to and reading from arbitrary files on the router.

Solution

This vulnerability remains unpatched at the time of writing. An intrepid user could, at their own risk, craft a shell command to disable the Quagga zebra and ripd services and then use the file-append vulnerability to write that command to the end of script that they know will be executed whenever the device is rebooted. In order for this to work, the target script would have to reside on one of the device's persistent filesystems, or the modifications would not survive a reboot. It is also possible to use the denial of service vulnerability described in the Synopsis to temporalily block access to either service.

Disclosure Timeline

September 24, 2021 - Tenable notifies D-Link of vulnerabilities and explains disclosure policy
September 24, 2021 - D-Link acknowledges notification
October 14, 2021 - D-Link requests additional details
October 14, 2021 - Tenable provides D-Link with complete proof-of-concept scripts
October 14, 2021 - D-Link acknowledges receipt of scripts
October 17, 2021 - D-Link provides Tenable with patched firmware image to review
October 26, 2021 - Tenable responds to D-Link with analysis and criticism of proposed patch, which remains vulnerable
October 27, 2021 - D-Link acknowledges receipt of feedback
December 28, 2021 - Advisory Published

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID
TRA-2021-44
Credit

Olivia Fraser

CVSSv3 Base / Temporal Score
8.8 / 8.6
CVSSv3 Vector
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Additional Keywords
RCE
routers
default credentials
Affected Products
D-Link DIR-2640 with Firmware Version <= 1.11B02
Risk Factor
High

Advisory Timeline

December 28, 2021 - Advisory Published
December 29, 2021 - Advisory Updated
tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until December 31st.
Buy a multi-year license and save more.

Add Support and Training