Executive Summary

Summary
Title D-Link routers authenticate administrative access using specific User-Agent string
Informations
Name VU#248083 First vendor Publication 2013-10-17
Vendor VU-CERT Last vendor Modification 2013-10-18
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#248083

D-Link routers authenticate administrative access using specific User-Agent string

Original Release date: 17 Oct 2013 | Last revised: 18 Oct 2013

Overview

Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string. This backdoor allows an attacker to bypass password authentication and access the router's administrative web interface. Planex and Alpha Networks devices may also be affected.

Description

CVE-2013-6026:

According to security researcher Craig Heffner, the firmware for various D-Link routers contains a backdoor that allows unauthenticated remote users to bypass the routers' password authentication mechanism. A router's internal web server will accept and process any HTTP requests that contain the User-Agent string "xmlset_roodkcableoj28840ybtide" without checking if the connecting host is authenticated.

D-Link has confirmed that the affected D-Link routers disable web configuration from the WAN by default.

According to D-Link, the following D-Link routers are affected:

  • DIR-100
  • DIR-120
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

According to the original vulnerability report, the following Planex routers are likely affected:
  • BRL-04R
  • BRL-04UR
  • BRL-04CW

It appears that Alpha Networks may be the OEM for routers branded by D-Link and Planex (and probably other vendors). It is not clear where in the supply chain the backdoor was added, so routers from any of these vendors may be affected.

CVE-2013-6027:
A separate stack overflow vulnerability in the management web server has also been reported.

Impact

An unauthenticated remote attacker can take any action as an administrator using the remote management web server.

Solution

D-Link is maintaining a page to inform users of this issue and provide updates as patches are released.

Restrict Access

Restrict access to the administrative web server by disabling remote management features or by blocking HTTP requests on the external WAN interface. The administrative web server may listen on ports 80/tcp or 8080/tcp.

D-Link has confirmed that the affected D-Link routers disable web configuration from the WAN by default. There is some evidence that at least one ISP may have deployed vulnerable routers with the remote WAN management enabled.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
D-Link Systems, Inc.Affected16 Oct 201317 Oct 2013
Alpha Networks IncUnknown-17 Oct 2013
Planex Communications IncUnknown-17 Oct 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base10.0AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal9.0E:F/RL:W/RC:C
Environmental6.8CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
  • http://www.theregister.co.uk/2013/10/13/dlink_routers_have_admin_backdoor/
  • http://www.dlink.com/uk/en/support/security
  • http://blog.erratasec.com/2013/10/that-dlink-bug-masscan.html
  • http://pastebin.com/vbiG42VD

Credit

Thanks to Craig Heffner of /DEV/TTYS0 for reporting this vulnerability.

This document was written by Todd Lewellen.

Other Information

  • CVE IDs:CVE-2013-6026CVE-2013-6027
  • Date Public:12 Oct 2013
  • Date First Published:17 Oct 2013
  • Date Last Updated:18 Oct 2013
  • Document Revision:27

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/248083

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-264 Permissions, Privileges, and Access Controls
50 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

TypeDescriptionCount
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1

Snort® IPS/IDS

Date Description
2014-01-10 D-Link DIR-100 User-Agent backdoor access attempt
RuleID : 28240 - Revision : 3 - Type : SERVER-WEBAPP

Nessus® Vulnerability Scanner

Date Description
2013-10-15 Name : The remote web server is affected by an authentication bypass vulnerability.
File : dlink_router_user_agent_auth_bypass.nasl - Type : ACT_ATTACK

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
Date Informations
2014-02-17 12:07:39
  • Multiple Updates
2013-11-11 13:36:17
  • Multiple Updates
2013-10-21 21:27:36
  • Multiple Updates
2013-10-19 17:22:19
  • Multiple Updates
2013-10-18 17:21:44
  • Multiple Updates
2013-10-17 21:20:31
  • First insertion