CISA warns of D-Link router vulnerability being actively exploited

ReportMay 17, 2024Editorial DepartmentVulnerabilities/Cyber ​​Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security vulnerabilities affecting D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.

The list of vulnerabilities is as follows –

• CVE-2014-100005 – A cross-site request forgery (CSRF) vulnerability affecting the D-Link DIR-600 router, allowing an attacker to change the router configuration by hijacking an existing administrator session

• CVE-2021-40655 – An information leakage vulnerability affecting D-Link DIR-605 routers allows attackers to obtain usernames and passwords by forging HTTP POST requests to the /getcfg.php page

There are currently no details on how these flaws could be exploited in the wild, but federal agencies have been urged to apply vendor-provided mitigations by June 6, 2024.

Notably, CVE-2014-100005 affects older versions of D-Link products that have reached end-of-life (EoL) status, forcing organizations still using these products to retire and replace these devices.

The SSD Secure Disclosure team has disclosed unpatched security issues in the DIR-X4860 router that could allow an unauthenticated remote attacker to access HNAP ports to gain elevated privileges and run commands as root.

“By combining authentication bypass with command execution, devices can be completely compromised,” it said, adding that the issues affect routers running firmware version DIRX4860A1_FWV1.04B03.

SSD Secure Disclosure also provides a proof-of-concept (PoC) vulnerability that exploits a specially crafted HNAP login request to the router’s management interface to bypass authentication protection and a command injection vulnerability to achieve code execution.

D-Link has since acknowledged the issue in its own announcement and said a fix is ​​”to be released/under development.” It describes the vulnerability as a case of unauthenticated command execution flaw on the LAN side.

Ivanti fixes multiple bugs in Endpoint Manager Mobile (EPMM)

Cybersecurity researchers also released a PoC for a new vulnerability in Ivanti EPMM (CVE-2024-22026, CVSS score: 6.7), which could allow authenticated local users to bypass shell restrictions and execute on the device Any command.

“This vulnerability allows a local attacker to gain root access to the system by exploiting the software update process via a malicious RPM package in a remote URL,” said Bryan Smith of Redline Cyber ​​Security.

This problem stems from insufficient verification of the installation command of the EPMM command line interface, which can obtain arbitrary RPM packages from the URL provided by the user without verifying its authenticity.

CVE-2024-22026 affects all EPMM versions prior to 12.1.0.0. Ivanti also fixed two other SQL injection flaws in the same product (CVE-2023-46806 and CVE-2023-46807, CVSS score: 6.7) that could allow authenticated users with appropriate permissions to access or Modify data in the underlying database.

While there is no evidence that these flaws have been exploited, users are advised to update to the latest version to mitigate potential threats.