D-Link DIR-620

Security researchers have found a backdoor account in the firmware of D-Link DIR-620 routers that allows hackers to take over any device reachable via the Internet.

Discovered by Kaspersky Lab researchers, this backdoor grants an attacker access to the device's web panel, and there's no way in which device owners can disable this secret account.

The only way to protect devices from getting hacked is to avoid having the router expose its admin panel on the WAN interface, and hence, reachable from anywhere on the Internet.

To prevent abuse, Kaspersky researchers have refrained from disclosing the backdoor's account username and password.

D-Link backdoor

One other vulnerability can disclose Telnet credentials

The backdoor account (CVE-2018-6213) is just one of four vulnerabilities Kaspersky researchers found in the firmware of these devices following a recent security audit. The other three flaws include:

⯄  CVE-2018-6210 - a vulnerability that lets attackers recover Telnet credentials
⯄  CVE-2018-6211 - a flaw that lets attackers execute OS commands via one of the admin panel's URL parameters
⯄  CVE-2018-6212 - a reflected cross-site scripting (XSS) vulnerability in the router's "Quick Search" admin panel field

Both CVE-2018-6210 and CVE-2018-6213 are considered dangerous flaws as they allow attackers easy access to the device.

Not that many devices left around to exploit

The good news is that D-Link DIR-620 devices are older router models and there aren't that many around to exploit.

Most of these devices were deployed by Russian, CIS, and Eastern European ISPs as on-premise equipment provided to broadband customers.

The vast majority of these devices are located in Russia, and Kaspersky said it already contacted ISPs to inform them of the issue.

Shodan searches for these devices reveal less than 100 DIR-620 routers available online, showing that most ISPs have heeded Kaspersky's warnings and restricted access to these devices on their networks.

D-Link won't release firmware updates for such an old device

Kaspersky experts said they've also contacted D-Link about the discovered issues, but the company said it did not intend to issue new firmware updates for such an older model unless one of the ISPs it has as an enterprise customer specifically request a security update for these devices.

Researchers said they tested the following DIR-620 firmware versions and found that they included the four flaws, in various degrees:

1.0.3
1.0.37
1.3.1
1.3.3
1.3.7
1.4.0
2.0.22

Related Articles:

All That Port 8000 Traffic This Week! Yeah, That's Satori Looking for New Bots

17 Backdoored Docker Images Removed From Docker Hub

Cisco Removes Backdoor Account, Fourth in the Last Four Months

VPNFilter Can Also Infect ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE Devices

Reboot Your Router to remove VPNFilter? Why It's Not Enough