Four vulnerabilities in D-Link routers have been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities Catalog this week. Also included in this week’s catalogue updates were now-patched zero-day vulnerabilities in Google Chrome, and Photo Station QNAP software.
Three of the D-Link vulnerabilities identified as exploited by their addition to this list are tagged as ‘critical’ severity flaws, and are reported by Unit 42 researchers to be exploited, alongside another D-Link vulnerability from 2015, in Mirai malware ‘MooBot’ botnet attacks. MooBot is a variant of the Mirai malware that target exposed network devices running Linux. Critical vulnerabilities CVE-2022-26258 and CVE-2022-28958 allow for remote code execution (RCE) in the compromised D-Link devices through two different but similar attacks. CVE-2022-26258 is present in DIR-820L routers and allows for RCE in the Device Name parameter in /lan.asp. CVE-2022-28958 is present in DIR-816L routers and allows for RCE in the value parameter of shareport.php.
The other vulnerability CISA included in their catalogue this week is CVE-2018-6530, which exists in multiple D-Link routers, some of which are end-of-life products. This vulnerability is an OS command injection flaw that allows for RCE of arbitrary OS commands through the service parameter. Attackers can use these critical severity vulnerabilities to fully control these D-Link devices, run remote code in the wget utility to download MooBot samples and trigger the downloaded binaries, and execute further attacks on the devices such as distributed denial of service (DDoS) attacks.
The fourth D-Link vulnerability that was identified by CISA as actively exploited, CVE-2011-4723, was first identified in 2011, and exists in an end-of-life product the DIR-300 router. This product stores cleartext passwords, which attackers can exploit to obtain sensitive information. Although patches exist that address CVE-2018-6530, the majority of these vulnerabilities are present in end-of-life products, which no longer receive security updates. Advice to avoid these vulnerabilities being exploited is to disconnect all end-of-life products, and upgrade to a router that is currently supported by the vendor.