D-Link DIR-865L WiFi is the most insecure router; 3 critical security flaws unfixed

The security team from technology manufacturer D-Link announced the release of fixes for three of the six vulnerabilities reported on DIR-865L, a widely used wireless router. According to the specialists of a cyber security course, a threat actor could exploit these flaws to execute arbitrary commands, extract sensitive data, load malware and even delete information on the target system.

This router was launched almost ten years ago and, for a few months, users in the U.S. stopped receiving updates; on some European websites, the router has stopped selling, although providers are still releasing regular updates. 

A team of specialists from a Palo Alto Networks cyber security course detected these flaws a couple of months ago, which they notified D-Link. Researchers believe that other similar products could be affected by the same flaws (newer models share the same code), although this has not been confirmed. The most severe vulnerabilities are described below, along with their identification keys and scores according to the Common Vulnerability Scoring System (CVSS):

  • CVE-2020-13782: This is an arbitrary command injection flaw that received a CVSS score of 9.8/10, so it is considered a critical error. 
  • CVE-2020-13786: This is a Cross-Site Request Forgery (CSRF) flaw that received a score of 8.8/10
  • CVE-2020-13785: An inadequate encryption failure that received a score of 7.5/10

It should be noted that the most severe of these errors has not been fixed, as only three of the six reported vulnerabilities were updated.

Although CVE-2020-1378 is a critical flaw, experts in a cyber security course say their exploitation requires authentication. This could be achieved by a CSRF attack, but the CVSS score of this failure will most likely be adjusted to the downside. One of Palo Alto’s researchers mentions that the joint exploitation of some of these flaws would allow hackers to detect network traffic and steal session cookies.

In response, D-Link released a beta version of this router’s firmware, although this measure will only correct three of the reported failures. Because this product has stopped receiving updates, the company recommends users purchase one of its most recent products. However, switching devices is not a common practice among home router users.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.