Secure your D-Link & Comba routers’ passwords; critical vulnerability found

Web application security specialists have discovered a set of vulnerabilities in D-Link and Comba WiFi routers that, if exploited, could leak the passwords of the owners. The researchers, from security firm Trustwave, discovered these five flaws, which could be considered critical.  

Experts discovered two flaws in the firmware of D-Link DSL-2875AL and DSL-2877AL wireless routers. The first vulnerability exposes a configuration file that stores the device administrator’s password, exposing it to any unauthenticated user.

“More than a vulnerability, the second one is a company’s oversight,” the web application security expert report mentions. In this scenario, the source code on the router login page exposes the Internet service provider’s user name and password in plain text. The company has already released firmware updates for vulnerable models.

Although the researchers reported the company in a timely manner about these flaws, D-Link did not announce any action until experts expressed interest in publicly disclosing the finding of the vulnerabilities, this after the end of the stipulated time for the company to correct its flaws. “While D-Link’s initial response wasn’t encouraging at all, the vulnerabilities have already been fixed,” the experts added.

On the other hand, web application security experts, led by researcher Simon Kenin, discovered three security vulnerabilities in Comba AC2400 and AP2600 access controllers. “The first of these failures involves the plain text storage of MD5 passwords, only the IP address of a vulnerable device is required to access this information”, the report mentions.

Meanwhile, AP2600 stores the MD5 hash password in both the login web page feed and a configuration file, both accessible to anyone who knows the router’s IP address, experts say.

Although both companies reserved the right to make some clarification on these findings, updates to address these security flaws are already available. International Institute of Cyber Security (IICS) web application security specialists recommend administrators of these devices upgrade to the latest software versions to mitigate the risk of exploiting these devices vulnerabilities.