D-Link has recently released a firmware update to address three out of six security flaws impacting the DIR-865L wireless home router.
Below the list of vulnerabilities affecting the D-Link home routers:
The flaws were reported to D-Link by researchers at Palo Alto Networks in February, experts pointed out that the issues could also affect newer models because they share portions of firmware code.
Only the command injection vulnerability is rated critical, the remaining ones are high-severity, they can be exploited by attackers to execute arbitrary commands, steal sensitive information, upload malicious payloads, or delete data.
According to Palo Alto Networks’ Unit 42 researcher Gregory Basior an attacker could chain some of the above issues to sniff network traffic and steal session cookies.
“Different combinations of these vulnerabilities can lead to significant risks. For example, malicious users can sniff network traffic to steal session cookies.” reads the analysis published by Palo Alto Networks.
“With this information, they can access the administrative portal for file sharing, giving them the ability to upload arbitrary malicious files, download sensitive files, or delete essential files. They can also use the cookie to run arbitrary commands to conduct a denial of service attack.”
D-Link’s DIR-865L is no longer supported for U.S. consumers, while the vendor sill provides supports for European customers.
The vendor released a beta firmware release that fixes only three out of the six flaws, it recommends customers to replace their device with a new model.
“For US consumers, D-Link recommends this product be retired, and any further use may be a risk to devices connected to it and end-users connected to it” states D-Link.
(SecurityAffairs – D-Link DIR-865L, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.