Patch Now! CISA Warns of Actively Exploited D-Link Router Vulnerabilities

| By: danduran | Category: Technology , Cybersecurity
Patch Now! CISA Warns of Actively Exploited D-Link Router Vulnerabilities

Hey everyone, Dan here. As a cybersecurity professional, I feel it's crucial to share some recent developments that need your immediate attention. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added two critical security flaws impacting D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog. This addition is based on solid evidence of active exploitation in the wild.

The Vulnerabilities

Here's a quick rundown of the vulnerabilities:

  • CVE-2014-100005: This is a cross-site request forgery (CSRF) vulnerability affecting D-Link DIR-600 routers. It allows an attacker to change router configurations by hijacking an existing administrator session. You can read more about it here.

  • CVE-2021-40655: This vulnerability affects D-Link DIR-605 routers. It allows attackers to obtain usernames and passwords by forging an HTTP POST request to the /getcfg.php page. More details are available here.

Urgent Action Required

Federal agencies have been urged to apply vendor-provided mitigations by June 6, 2024. If you're using these routers, patching them immediately is critical. For organizations still using legacy D-Link products affected by CVE-2014-100005, which are now end-of-life (EoL), it's time to retire and replace these devices.

New Threats on the Horizon

In a related development, the SSD Secure Disclosure team has revealed unpatched security issues in DIR-X4860 routers. These flaws could allow remote unauthenticated attackers to access the HNAP port, gain elevated permissions, and run commands as root. By combining an authentication bypass with command execution, the device can be completely compromised. This impacts routers running firmware version DIRX4860A1_FWV1.04B03.

SSD Secure Disclosure has also released a proof-of-concept (PoC) exploit, showing how a specially crafted HNAP login request can bypass authentication protections and achieve code execution via a command injection vulnerability. D-Link has acknowledged the issue and stated that a fix is "Pending Release / Under Development." You can find more about this here.

Ivanti Endpoint Manager Mobile (EPMM) Vulnerabilities

The news doesn't stop there. Cybersecurity researchers have released a PoC exploit for a new vulnerability in Ivanti EPMM (CVE-2024-22026, CVSS score: 6.7). This flaw allows an authenticated local user to bypass shell restrictions and execute arbitrary commands on the appliance.

Bryan Smith from Redline Cyber Security explained that this vulnerability lets a local attacker gain root access to the system by exploiting the software update process with a malicious RPM package from a remote URL. This issue stems from inadequate validation in the EPMM command-line interface's installation command.

Additionally, Ivanti has patched two other SQL injection flaws in the same product (CVE-2023-46806 and CVE-2023-46807, CVSS scores: 6.7) that could allow an authenticated user with appropriate privileges to access or modify data in the underlying database. Although there's no evidence these flaws have been exploited, it's essential to update to the latest version to mitigate potential threats.

Final Thoughts

Staying on top of these vulnerabilities is crucial for maintaining a secure network environment. Make sure to apply the necessary patches and updates to protect your systems. For more detailed information, check out the official alerts from CISA and other sources linked below.

Stay vigilant and keep your systems secure. Cheers!