14 DAY TRIAL // Two different, high-risk vulnerabilities allowing an attacker to take control of specific D-Link devices have been eliminated by the manufacturer with the release of new firmware updates.
Both of the glitches have been deemed critical based on the calculated Common Vulnerability Scoring System (CVSS).
Update mechanism flaw is a 10 on the severity scale
One of the glitches, tracked as CVE-2015-2050, has the highest severity score as per the CVSS metrics and resides in the update mechanism of the DAP-1320 Rev Ax firmware version 1.11.
Executing commands on a vulnerable device is possible due to faulty sanitization of special elements used in commands for the operating system.
This can be achieved after intercepting the network traffic, an advisory from the CERT division at Carnegie Mellon University notes.
To mitigate this issue, users should apply D-Link’s recently released update to version 1.21b05.
CSRF attack can lead to router file tampering
The second vulnerability (CVE-2015-2049) affects DCS-930L, DCS-931L, DCS-932L, and DCS-933L Wi-Fi camera models from D-Link and it can be exploited to remotely upload arbitrary files from a third-party machine.
According to CERT, a specific write location can be assigned for the rogue data and the risk consists in the fact that an attacker can create, modify or delete data, as well as execute code.
The threat actor would have to be authenticated in order to be able to upload the data to the vulnerable device, but the flaw can also be exploited through CSRF (cross-site request forgery) attacks.
In this case, an authenticated victim can be tricked into launching a malicious link containing the tasks to be performed in the device’s web-based administration console.
The calculated score for this weakness is 9.0, as exploiting it is not complex in nature and requires little information gathering; furthermore, the impact is high, as the attacker can completely take over the device.
CVE-2015-2049 affects all firmware versions lower than 1.04. D-Link has published firmware updates for all the affected products. Users are advised to apply the new patch as soon as possible.