Cybersecurity Alert: Vulnerabilities Detected in D-Link Routers
On May 16, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the inclusion of two serious security vulnerabilities affecting certain models of D-Link routers in its Known Exploited Vulnerabilities (KEV) catalog. This action was prompted by evidence suggesting that these weaknesses are currently being exploited in the wild, heightening the urgency for mitigation measures among impacted users.
The vulnerabilities identified by CISA include CVE-2014-100005 and CVE-2021-40655. The former is a cross-site request forgery (CSRF) vulnerability associated with the D-Link DIR-600 router, allowing an attacker to alter router settings by hijacking an active administrator session. The second vulnerability, CVE-2021-40655, is tied to the D-Link DIR-605 routers and permits attackers to extract usernames and passwords by sending a forged HTTP POST request to the router’s configuration page. Although specific details regarding exploitation methods remain unclear, CISA has recommended that all federal agencies apply fixes provided by the vendor by June 6, 2024.
In addition to these vulnerabilities, the SSD Secure Disclosure team has reported unaddressed security flaws in the D-Link DIR-X4860 router, which could allow remote, unauthenticated attackers to access the Home Network Administration Protocol (HNAP) port. This access could enable attackers to gain elevated permissions and execute commands as root on the device. According to SSD, the combination of an authentication bypass and command execution could lead to a complete compromise of the router. The affected firmware version is specified as DIRX4860A1_FWV1.04B03.
Moreover, a proof-of-concept exploit has been made available by SSD, showcasing how attackers might leverage a malicious HNAP login request to circumvent authentication and exploit command injection vulnerabilities. D-Link has acknowledged these issues in a recent bulletin, indicating that a fix is currently under development.
It is important to note that CVE-2014-100005 pertains to older D-Link devices that have reached their end-of-life and should be replaced to mitigate potential risks. While there is no current evidence of widespread exploitation of CVE-2021-40655 and the associated D-Link vulnerabilities, organizations are urged to stay vigilant.
In a separate but equally concerning development, Ivanti has released patches for multiple vulnerabilities within its Endpoint Manager Mobile (EPMM), including a new risk identified as CVE-2024-22026. This vulnerability, which has a CVSS score of 6.7, allows an authenticated local attacker to bypass shell restrictions and execute arbitrary commands due to inadequate validation during the installation command process. This could potentially provide root access to the system if exploited with a malicious RPM package.
The reported vulnerabilities in both D-Link routers and Ivanti’s EPMM software highlight the potential for initial access and privilege escalation tactics as defined in the MITRE ATT&CK framework. For organizations employing these devices and platforms, understanding the specific risks and implementing proactive remediation strategies is critical in maintaining robust cybersecurity defenses.
Business owners and IT managers are encouraged to monitor updates from both D-Link and Ivanti closely and to implement necessary updates without delay. By staying informed and taking timely action, organizations can significantly reduce their exposure to these vulnerabilities and enhance their overall security posture.
