Researchers Observe Hackers Exploiting Vulnerability in End-of-Life D-Link DIR-859 Routers
1 July 2024 at 20:59
D-Link DIR-859 Router Vulnerability
The vulnerability allows attackers to access and retrieve sensitive information from the router's configuration files. The vulnerability occurs in the /htdocs/cgibin directory on the DIR-859 router, where HTTP requests are processed by a single binary. By sending a specially crafted HTTP POST request to the router's web interface, an attacker can bypass security measures and gain unauthorized access to user data. Researchers from security firm GreyNoise observed a variation of the exploit in the wild, which targets a specific configuration file containing user account information. The discovered exploit scripts leverage the vulnerability to retrieve the DEVICE.ACCOUNT.xml file, which contains usernames, passwords, group information, and descriptions for all users of the device.Protection Against D-Link Vulnerability
D-Link strongly recommends that users of DIR-859 routers retire and replace their devices with newer, supported models. The company advises against continued use of end-of-life products due to the potential security risks involved. The discovery of this vulnerability has significant implications for owners of D-Link DIR-859 routers:- Permanent vulnerability: As the router model is no longer supported, there will be no official patch to address this security flaw.
- Long-term risk: The disclosed information remains valuable to attackers for the entire lifespan of the device, as long as it remains internet-facing.
- Potential for further exploitation: The vulnerability could be used in combination with other, yet unknown, vulnerabilities to gain full control over the affected devices.
D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it. If US consumers continue to use these devices against D-Link's recommendation, please make sure the device has the most recent firmware, make sure you frequently update the device's unique password to access its web-configuration, and always have WIFI encryption enabled with a unique password.Researchers stated that while the intended usage of disclosed information from the routers is unknown, they remain valuable for the attackers for the lifetime of the device as long as they remain connected to the internet.