D-Link fixes router vulnerabilities very quietly
In November last year D-Link fixed critical vulnerabilities in its cylinder-shaped DIR-645 wireless router, but neglected to let its customers in on the secret. Users looking for firmware updates on D-Link's US customer site for the router will come across a version 1.03, dated 21 November 2012. The change log promises enhancements for IPv6 and iOS 6 compatibility.
There is no indication that it might contain security fixes, so if the router has been doing its job well up until now, users are unlikely to feel the need to install the update. D-Link also makes no mention of the update on its router security web page.
Search results from the vulnerability search engine SHODAN confirm this impression – of 150 routers of this model which responded to the engine's online queries, the current firmware version is installed on only six. This constitutes a problem because a security researcher has discovered that older versions have a habit of spitting out the administrator password in plain text format. All that's required is a simple curl command:
curl -d SERVICES=DEVICE.ACCOUNT http://<device ip>/getcfg.php
The H's associates at heise Security were able to reproduce the problem. D-Link has confirmed the security expert's statement that the vulnerabilities were fixed in the update to the latest firmware version. Users running a DIR-645 should therefore install the update urgently. Even where the router is not accessible from the web, users will want to ensure that non-admin users on the local network are not able to access the password with such a simple hack.
The UK site for the DIR-645 lists firmware version 1.02 b11 as the latest update, which is presumably vulnerable to the attack. Customers from the UK will therefore either have to wait until D-Link releases the update for the UK market as well or will have to install an update which might not be appropriate to their region.