Security researchers have identified new vulnerabilities affecting various router models in the D-Link DSR Family of devices, including DSR-150, DSR-250, DSR-500 and DSR-1000AC.
Compromised routers represent a serious security problem, and some device manufacturers treat them as such. Research from Digital Defense underlines a few vulnerabilities affecting multiple D-Link routers, and the company has already announced updates and patches.
The security researchers’ initial report, in August 2020, identified several vulnerabilities affecting the DSR-250 Hardware Revision A1 using firmware v3.17 or older. Because this platform shares the firmware with other devices in the same family, more than one router is affected.
Only two of the three reported vulnerabilities have been recognized by the hardware makers. The third one is considered part of the router’s normal functionality and will not be modified.
“Unauthenticated users with access to the ‘Unified Services Router’ web interface, either on LAN or WAN, can inject arbitrary commands via crafted requests, which will be executed with root privileges,” states the advisory regarding the first vulnerability.
“Authenticated users with access to the ’Unified Services Router‘ web interface, either on LAN or WAN, can inject arbitrary commands via crafted requests, which will be executed with root privileges,” is the second vulnerability recognized by D-Link.
The last vulnerability dealing with authenticated Crontab injection was rejected.
“For this generation of product, the device uses a plain text config, which is the design to directly edit and upload the config to the same DSR devices accordingly,” D-Link said.
The company issued new updates for all the supported devices, but with a caveat. For now, it’s only a Beta version, with final iterations coming in mid-December.