Wi-Fi wireless internet router on dark background 3d

CISA advises D-Link users to take vulnerable routers offline

On April 42022, the Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2021-45382to its known exploited vulnerabilities catalog. But since the affected products have reached end of life (EOL), the advice is to disconnect them, if still in use.

CISA catalog

The CISA catalog of known exploited vulnerabilities was set up to list the most important vulnerabilities that have proven to pose the biggest risks. The catalog is an integral part of binding operational directive (BOD) 22-01 titled Reducing the Significant Risk of Known Exploited Vulnerabilities.

This directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third-parties on an agency’s behalf. One of the most welcomed required actions set forth in the directive is that CISA will keep a catalog of vulnerabilities alongside timeframes in which they must be remediated.

EOL

End-of-life (EOL) is an expression commonly used by software vendors to indicate that a product or version of a product has reached the end of usefulness in the eyes of the vendor. When products reach End of Support (EOS) or EOL it is usually announced far in advance.

As a general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease. Unfortunately this often means that the security of these products quickly decreases. Found vulnerabilities only get patched in very rare cases.

The vulnerability

CVE-2021-45382 is a Remote Code Execution (RCE) vulnerability that exists in all series H/W revisions D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file.

DDNS (Dynamic Domain Name System) is a function that allows systems to overcome the issues related to Dynamic IP Addresses, in attempting to connect to a resource somewhere on the Internet whose IP address may change at any time.

The ncc2 service on the affected devices allows for basic firmware and language file upgrades via the web interface. The ncc2 service on the affected devices appears to have been shipped with a number of diagnostic hooks available. Unfortunately, these hooks are able to be called without authentication. The necessary resources do not exist on the filesystem of the device, nor do they appear to be static. Instead, these files appear to be rendered when queried and can be used to both interrogate the given device for information, as well as enable diagnostic services on demand.

A Proof of Concept (PoC) is publicly available on GitHub, which makes it trivial for anyone with malicious intentions to take control of the vulnerable routers.

Affected devices

D-Link lists the affected models that have reached EOL as DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L all series and all hardware revisions. All of these models were offered a last update on 19 December 2021.

D-Link’s advicefor these models is for them to be retired and replaced. For organizations to be in compliance with the binding operational directive 22-01 this will need to be done before 25 April 2022.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability managementpractice.

Mitigation

In these cases, and under the given circumstances, it seems indeed best to replace the affected models with a more secure device. Recently CISA gave a similar advice for the D-Link DIR-610 and DIR-645, as well as for the Netgear DGN2200.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.