Unpatch this zero-day vulnerability to hack any D-Link router

Recently Gianluca Pacchiella, researcher and specialist of a cyber security course published a blog post referring to CVE-2020-9544, a zero-day vulnerability involving the D-Link router DSL-2640B. “I did a security assessment on my old router, as I switched Internet service providers, so I installed a new one,” Pacchiella says.

In a very short way, the expert mentions how he detected the security issue, in addition to making some modifications to the device code: “I started by removing all code that is not strictly necessary; in the second line, for example, I extracted method, path and protocol“, mentions the cyber security course specialist.

After parsing a couple of possible headers, the code checks whether the request is a POST and, if the path corresponds to a specific string, loads the firmware and the function returns; the same applies for updating router settings.

According to the cyber security course specialist, this is a significant security threat, as a threat actor with access to the same subnet could access the vulnerable device’s management web interface and install its own version of the firmware without major setbacks. Pacchiella claims that it decided to disclose the vulnerability for any D-Link router user to access this information, as the risk of exploitation is really high.

The researcher adds that he sent his report to the company, although he has not received any response. D-Link’s lack of response is worrying, as the potential exploitation of this vulnerability is trivial. In addition, Pacchiella states that correcting the flaw would be a relatively simple process, indicating that the company simply has not wanted to act.  

This is not the first time that D-Link equipment users have pointed to company negligence, so multiple members of the cybersecurity community have recommended stopping using their products.

For more information on recently encountered security flaws, exploits, cyberattacks, and malware analysis, you can visit the official website of the International Institute of Cyber Security (IICS), as well as the official sites of tech companies.