search menu icon-carat-right cmu-wordmark

CERT Coordination Center


D-Link routers authenticate administrative access using specific User-Agent string

Vulnerability Note VU#248083

Original Release Date: 2013-10-17 | Last Revised: 2014-07-29

Overview

Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string. This backdoor allows an attacker to bypass password authentication and access the router's administrative web interface. Planex and Alpha Networks devices may also be affected.

Description

CVE-2013-6026:

According to security researcher Craig Heffner, the firmware for various D-Link routers contains a backdoor that allows unauthenticated remote users to bypass the routers' password authentication mechanism. A router's internal web server will accept and process any HTTP requests that contain the User-Agent string "xmlset_roodkcableoj28840ybtide" without checking if the connecting host is authenticated.

D-Link has confirmed that the affected D-Link routers disable web configuration from the WAN by default.

According to D-Link, the following D-Link routers are affected:

    • DIR-100
    • DIR-120
    • DI-624S
    • DI-524UP
    • DI-604S
    • DI-604UP
    • DI-604+
    • TM-G5240

According to the original vulnerability report, the following Planex routers are likely affected:
    • BRL-04R
    • BRL-04UR
    • BRL-04CW

It appears that Alpha Networks may be the OEM for routers branded by D-Link and Planex (and probably other vendors). It is not clear where in the supply chain the backdoor was added, so routers from any of these vendors may be affected.

CVE-2013-6027:
A separate stack overflow vulnerability in the management web server has also been reported.

Impact

An unauthenticated remote attacker can take any action as an administrator using the remote management web server.

Solution

D-Link is maintaining a page to inform users of this issue and provide updates as patches are released.

Restrict Access

Restrict access to the administrative web server by disabling remote management features or by blocking HTTP requests on the external WAN interface. The administrative web server may listen on ports 80/tcp or 8080/tcp.

D-Link has confirmed that the affected D-Link routers disable web configuration from the WAN by default. There is some evidence that at least one ISP may have deployed vulnerable routers with the remote WAN management enabled.

Vendor Information

248083
Expand all

D-Link Systems, Inc.

Notified:  October 16, 2013 Updated:  October 17, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alpha Networks Inc

Updated:  October 17, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Planex Communications Inc

Updated:  October 17, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 8.3 AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.5 E:F/RL:W/RC:C
Environmental 5.6 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Craig Heffner of /DEV/TTYS0 for reporting this vulnerability.

This document was written by Todd Lewellen.

Other Information

CVE IDs: CVE-2013-6026, CVE-2013-6027
Date Public: 2013-10-12
Date First Published: 2013-10-17
Date Last Updated: 2014-07-29 23:29 UTC
Document Revision: 33

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.