US government warns of D-Link router security flaws — patch now or potentially pay the price

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock) (Image credit: Shutterstock)

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities, found in some D-Link routers, to its database of Known Exploited Vulnerabilities (KEV), meaning it has evidence of in-the-wild abuse.

The two vulnerabilities are tracked as CVE-20214-100005, and CVE-2021-40655. The former is a cross-site request forgery (CSRF) flaw, found in D-Link DIR-600 routers, while the latter is an information disclosure flaw found in D-Link DIR-605 routers. The former allows threat actors to change router configurations, while the latter enables login credential theft.

CISA did not detail exactly who, or how, is exploiting these vulnerabilities in the wild, but did give federal agencies a deadline of June 6, 2024, to address the issue. 

Patches available

The best way to fix the flaws is by patching the compromised devices. The cross-site request forgery vulnerability has been around for almost a decade, as it was first reported back in 2015. It is also worth mentioning that the D-Link DIR-600 devices, vulnerable to this flaw, have reached their end-of-life status, and as such no longer receive updates or security patches. 

Any new vulnerabilities found in these endpoints will remain unaddressed, so the safest thing to do at this point would be to just replace them with newer models that are still receiving vendor updates and security patches. 

The CSRF flaw is no game, either. It is labeled “critical”, and essentially allows threat actors to remotely hijack the authentication of administrators for requests that either create an administrator account or enable remote management via a crafted configuration module. Furthermore, attackers can use the flaw to activate new configuration settings, or send a ping via a ping action to diagnostic.php.

CVE-2021-40655, on the other hand, while allowing attackers to obtain some login credentials, has been labeled as “problematic”.

Via The Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
cables going into the back of a broadband router on white background
Netgear urges users to patch major router security issues now
Representational image depecting cybersecurity protection
CISA says Oracle and Mitel have critical security flaws being exploited
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
An image of network security icons for a network encircling a digital blue earth.
Industrial networks exposed to attack by faulty Moxa devices
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does