D-Link Pushes Firmware Updates for Vulnerable Routers
D-Link has begun to push out firmware updates for some of its home routers, to address three separate vulnerabilities that could allow remote code injection via access to the local area network, perform DNS hijacking, or exploit chipset utilities in the router firmware that expose configuration information.
The company said in an advisory that it will release several updates between now and March 10. The most critical flaw is a “ping” issue, which opens the door for all kinds of nefarious activity, according to the researchers that first discovered it.
“The D-Link DIR636L (possibly others) incorrectly filters input on the ‘ping’ tool which allows an attacker to inject arbitrary commands into the router,” said Tiago Caetano Henriques of Swisscom, who discovered the main issue back in November. “Secondly, authentication is not being performed correctly. This enables a remote attacker to gain full control of the router, for example to attack other networks in a DDoS style attack, or even expose computers behind these devices to the internet as you are able to change firewall/NAT rules on this router.”