D-Link wireless modems found to leak passwords

D-Link DSL-2875AL modem contains password disclosure vulnerability: it is stored in clear text there

D-Link’s router troubles continue, as more vulnerabilities were discovered in its ADSL2+ modem routers. Trustwave's Spiderlabs has found two "credential-leaking vulnerabilities" in this router.

"While performing research on potential router vulnerabilities, Trustwave SpiderLabs security researcher, Simon Kenin, uncovered multiple credential vulnerabilities in some models of D-Link and Comba routers," said a Trustwave blog post.

The D-Link DSL-2875AL, a dual band wireless AC750 ADSL2+ modem, contains a password disclosure vulnerability in the file romfile.cfg. 

"This file is available to anyone with access to the web-based management IP address and does not require any authentication. The path to the file is https://[router ip address]/romfile.cfg and the password is stored in clear text there," explained the blog post.

The second D-Link vulnerability was found in models DSL-2875AL and DSL-2877AL. Anyone looking at the source code of the router login page would see the following lines:

var username_v = '<%TCWebApi_get("Wan_PVC","USERNAME","s")%>';

var password_v = '<%TCWebApi_get("Wan_PVC","PASSWORD","s")%>';

"The username & password listed there are used by the user to connect to his/her ISP. This could allow an attacker to access the ISP account or the router itself if they admins reused the same credentials," the post said.

Clear text passwords is not acceptable in 2019, Ed Williams, EMEA director of?SpiderLabs?at Trustwave, told SC Media UK. "If you look at them, they're related around passwords and authentication. So the issues are really fundamental," he said.

D-Link has patched the vulnerabilities, Williams said, adding that what is needed to change is the architecture of designing products like these. 

"What we would recommend as an organisation is secure development lifecycle. By that, I mean getting security into the product as quick as you can, as early as you can, as often as you can," he explained.

"We always recommend to get security in nice and early to a product development lifecycle, because in the long run, your clients are going to get more assurance and it's gonna be it's going to be cheaper for you in the long run as well."

This is the latest in the list of troubles faced by the Taiwanese networking equipment vendor. 

In April, Troy Mursch, founder and security researcher at internet monitoring firm Bad Packets, disclosed that a cyber-crime group has been hacking into D-Link routers, changing DNS server settings to divert traffic from legitimate websites to their malicious clones.

In July, D-Link agreed to submit to product security audits of over 10 years as part of a lawsuit settlement with the US Federal Trade Commission. The FTC had earlier accused D-Link of faulty security practices, including leaked router security keys and the use of plain-text password storage in its mobile app.

Blazej Adamczyk of the Silesian University of Technology in Poland disclosed in October 2018 tha eight D-Link router variants are vulnerable to complete pwnage through a combination of security flaws.

The popularity of D-Link routers have put them on the line of cyber-attacks. The risks for users are equally big.

The company has been providing patches, but that hardly is an effective method to mitigate risks, said Williams. He prescribes three steps for end-users: security and device hygiene, choosing good passwords, and minimising the exposure. 

"Again, it goes back to the basics: patching, minimising external visibility, and only having them connect to and from trusted IP addresses," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews