Vulnerability In EOL D-Link DIR-859 Routers Exploited
D-Link DIR-859 WiFi routers have been found to have a path traversal vulnerability that allows for information disclosure. This vulnerability, identified as CVE-2024-0769, affects all hardware revisions and firmware versions of the DIR-859.
The DIR-859 model has reached its end-of-life status and will not be receiving any further updates from D-Link.
D-Link DIR-859 Router Vulnerability
The vulnerability allows attackers to access and retrieve sensitive information from the router’s configuration files. The vulnerability occurs in the /htdocs/cgibin directory on the DIR-859 router, where HTTP requests are processed by a single binary.
By sending a specially crafted HTTP POST request to the router’s web interface, an attacker can bypass security measures and gain unauthorized access to user data. Researchers from security firm GreyNoise observed a variation of the exploit in the wild, which targets a specific configuration file containing user account information.
The discovered exploit scripts leverage the vulnerability to retrieve the DEVICE.ACCOUNT.xml file, which contains usernames, passwords, group information, and descriptions for all users of the device.
Protection Against D-Link Vulnerability
D-Link strongly recommends that users of DIR-859 routers retire and replace their devices with newer, supported models. The company advises against continued use of end-of-life products due to the potential security risks involved.
The discovery of this vulnerability has significant implications for owners of D-Link DIR-859 routers:
- Permanent vulnerability: As the router model is no longer supported, there will be no official patch to address this security flaw.
- Long-term risk: The disclosed information remains valuable to attackers for the entire lifespan of the device, as long as it remains internet-facing.
- Potential for further exploitation: The vulnerability could be used in combination with other, yet unknown, vulnerabilities to gain full control over the affected devices.
For U.S. customers unable to immediately replace their routers, it’s crucial to take additional security measures, such as disabling remote management features, usage of strong and unique passwords for all accounts, regularly monitoring router logs for suspicious activity, and considering using a separate virtual private network (VPN) for added security.
D-Link’s official security advisory stated:
D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it. If US consumers continue to use these devices against D-Link’s recommendation, please make sure the device has the most recent firmware, make sure you frequently update the device’s unique password to access its web-configuration, and always have WIFI encryption enabled with a unique password.
Researchers stated that while the intended usage of disclosed information from the routers is unknown, they remain valuable for the attackers for the lifetime of the device as long as they remain connected to the internet.
