Your D-Link and Comba Wireless Modems Could Be Leaking Your Passwords. Here's What You Can Do.

D-Link Comba Routers Credential Leaking Vulnerabilitiy

Take a look at the comments under articles dedicated to vulnerabilities, and you'll see that every now and again, people tend to get annoyed by the amount of attention some security holes receive. Indeed, in many cases, exploiting the vulnerabilities is so hard that the attack scenarios presented by the researchers don't sound especially plausible.

Take the credential leaking vulnerabilities Trustwave researchers found in D-Link and Comba routers, as an example. The flaws are definitely there, but they require either network access or a network configuration that makes your router's web-based management system accessible from anywhere. Even if one of these requirements is met, automating the attack and hitting many people at once won't be easy, which means that unless you are a high-profile target, few attackers would be willing to take advantage of these particular security holes. That being said, no security flaw, no matter how difficult to exploit, should be ignored. Researchers' reports should always be taken seriously, and the vulnerabilities must be handled with care and transparency. Unfortunately, in this particular case, the vendors' reaction did leave the security experts a bit disappointed.

How your wireless modem could be leaking your passwords

The vulnerabilities all involved the wireless routers' web-based management system. In the case of D-Link's DSL-2875AL, the researchers were able to download a configuration file which stored the device's login credentials. The username and password were available in plain text, and the file was downloadable without any form of authentication.

DSL-2875AL as well as another D-Link model, DSL-2877AL, come with another vulnerability. The username and password that the user uses to connect to their ISP are stored inside the source code of the "index.asp" document which appears when the router's IP is entered into the address bar of the browser. Once again, an attacker doesn't need authentication to get to the sensitive information. They just need to know where to look.

The flaws researchers discovered in Comba's routers were pretty similar. Trustwave realized that an unauthenticated request to a specific URL on a network set up with a Comba AC2400 Wi-Fi Access Controller would give them access to a configuration file that stores the usernames and passwords as MD5 hashes.

In Comba's AP2600-I model, they found not one, but two ways of stealing the login data. Another unauthenticated request would result in the download of an SQLite database that stores the username and password in plain text. The same login credentials, in MD5 hashed form, were also available in the source code of the login page.

Vendors don't react to the vulnerabilities as well as they should

As soon as Trustwave discovered the vulnerabilities, they got in touch with both D-Link and Comba. It's fair to say that the vendors' reaction wasn't exactly exemplary.

Comba flat-out ignored the reports and hasn't said anything about the problem. Their routers are still vulnerable to the attacks outlined above, and if you use them, you need to keep this in mind. To minimize the threat, make sure your network is properly configured and that only the services you need are running.

D-Link did respond to Trustwave's reports, but instead of a quick and efficient resolution, the whole thing descended into a bit of a farce. Trustwave initially gave D-Link a 90-day timeframe before the public disclosure of the vulnerabilities. At one point, however, the router manufacturer told the researchers that the R&D department wouldn't be able to fix the issue before the deadline. Trustwave showed some understanding and provided "a lengthy extension", but during it, D-Link simply stopped communicating with the researchers.

Days before Trustwave published its findings, however, D-Link wrote in to say that users can patch the vulnerabilities by downloading newer versions of the firmware for DSL-2875AL and DSL-2877AL.

After wrote about the vulnerabilities, a D-Link spokesperson said that the holes were patched back in 2016 and that Trustwave's researchers found them only because the devices they were testing ran on old firmware. The researchers then rightly asked why they weren't informed of all this immediately after disclosing their findings.

It's good to hear that the vulnerabilities have been patched, and people who use D-Link routers must make sure that they have updated their firmware to the latest version. The way the company responded to the reports, however, was still far from perfect. As for Comba's reaction (or lack thereof), we'll leave you to draw your own conclusions.

September 16, 2019

Leave a Reply