November 12, 2024 at 03:34PM
D-Link routers, specifically the DSL6740C model, face critical vulnerabilities that allow remote attackers to take control, including password changes. D-Link will not address these issues, urging users to replace end-of-life devices. Several other high-severity vulnerabilities have also been identified, affecting around 60,000 exposed modems, primarily in Taiwan.
### Meeting Takeaways:
1. **Critical Security Issue**:
– Tens of thousands of end-of-life D-Link DSL6740C routers are exposed to a critical vulnerability allowing unauthenticated remote attackers to change user passwords and gain complete control of the device.
2. **Discovery and Reporting**:
– The vulnerability was discovered by researcher Chaio-Lin Yu (Steven Meow) and reported to Taiwan’s computer and response center (TWCERTCC).
3. **Device Availability**:
– The D-Link DSL6740C device was not sold in the U.S. and reached its end-of-service (EoS) at the beginning of the year.
4. **Vendor Response**:
– D-Link has announced that they will not issue a fix for the vulnerability and recommend retiring and replacing devices that have reached EOL/EOS.
5. **Vulnerabilities Identified**:
– Three main vulnerabilities with their CVE identifiers and severity:
– **CVE-2024-11068**: Critical flaw allowing password modifications (CVSS score: 9.8).
– **CVE-2024-11067**: High severity path traversal vulnerability (CVSS score: 7.5).
– **CVE-2024-11066**: High severity bug allowing command execution (CVSS score: 7.2).
6. **Exposed Devices**:
– Approximately 60,000 D-Link DSL6740C modems are currently exposed online, predominantly located in Taiwan.
7. **Additional Vulnerabilities**:
– TWCERTCC has identified four more high-severity OS command injection vulnerabilities affecting the D-Link device (CVE-2024-11062 to CVE-2024-11065).
8. **Vendor Policy on EoL Devices**:
– D-Link has reiterated that end-of-life devices are not eligible for security updates, even for critical vulnerabilities.
9. **Mitigation Recommendations**:
– Users unable to replace affected devices should restrict remote access and implement secure access passwords.
### Action Items:
– Evaluate replacement options for vulnerable D-Link devices.
– If replacement is not feasible, ensure that security measures (restricting access, secure passwords) are implemented promptly.