Taiwanese consumer technology manufacturer D-Link has issued security fixes for a series of bugs that, if exploited, could have enabled hackers to steal passwords and other sensitive data from home internet routers during the coronavirus pandemic.
If used in concert, the vulnerabilities would have allowed attackers to scan network traffic to steal session cookies, and upload or download sensitive files, Palo Alto Networks’ Unit 42 researchers said in findings published Friday. In some cases, the vulnerabilities could have helped attackers to conduct denial of service attacks.
While D-Link has released a security update for the flaws in question, the advisory offers a reminder that home internet routers represent targets for hackers aiming to take advantage of the increased number of people around the world teleworking as a result of the coronavirus. Hackers seized the moment early during the coronavirus pandemic, messing with Domain Name System settings in home routers in the U.S. and in multiple European countries to convince victims to download malware, according to prior BitDefender research.
D-Link, which had a revenue greater than $123 million the first quarter of 2020, offers networking products for both business and consumer customers, including surveillance equipment, broadband devices, and switches. In 2019, the company agreed to implement a “comprehensive software security program” as part of a settlement with the U.S. Feredal Trade Commission.
Palo Alto Networks researchers did not say whether hackers had exploited the vulnerabilities they found.
One of the issues that Unit 42 researchers uncovered, dubbed CVE-2020-13782, could allow for a denial of service attack, and would allow attackers to inject arbitrary code to be executed on the router with administrative privileges, which means attackers could, for instance, conduct a denial of service attack.
But in order to exploit this vulnerability, hackers would require authentication, which hackers could effectively achieve if they exploit either of two other vulnerabilities Palo Alto Networks researchers found, CVE-2020-13786 and CVE-2020-13784.
If the attackers exploit CVE-2020-13786, for instance, they would have been able to gain access to password-protected parts of websites by sniffing web traffic, since some of the pages on the D-Link routers’ web interface were vulnerable to cross-site request forgery. This vulnerability could allow attackers to delete and view contents of files, or upload malware.
If they exploit CVE-2020-13784, hackers would be able to access the session cookies that websites use to keep users logged in, and monitor user information. If hackers gain such access, they would be able to essentially impersonate a victim online.
The attackers would be able to gain access to the session cookies even if victims were using HTTPS to encrypt sessions because the algorithm in the router that calculates the session cookie produces predictable results, the researchers said.