⬆️ ⬇️

We close the vulnerability in the Wi-Fi controllers from D-Link

A couple of months ago I discovered the following, in my opinion, extremely nasty vulnerability in the D-Link DWC-1000 and DWC-2000 controllers.



If from the inside of the network (whether guest or admin) on the DWC controller does not change the Guest password, then you can connect to SSH through this default record Guest - guest. Yes, that's right - through the disabled Guest account. It seems that there shouldn't be anything terrible - let the attacker look at the settings, all passwords in the view mode are encrypted. But here is the second unpleasant moment - under this guest record you can download a backup copy of the config file and there are admin passwords in the clear view.



I reported about this vulnerability in D-Link (by the way, unlike other vendors, the site does not have a security contact button and had to search for responsible employees via LinkedIn), and after 2 months I received an answer confirming the vulnerability and the imminent release of updates. Correspondence below.



Query: for DWC-2000, firmware v4.7.0.3, with SSH (by default) Attach device using username “guest” and “guest” (yes, it is disabled for Web, but works for SSH). After this, you can use the commands utilization -> backup configuration file -> ip of the TFTP server.



')

Answer: Guest account vulnerability by SSH SPR # 63945 will be part of upstream releases:

DWC-1000 / C1: v471X, mid-Sept-2018

DWC-2000: v471X, mid-Oct-2018



I recommend the owners of DWC-1000 and DWC-2000 to change the guest passwords, check the absence of bookmarks and install firmware updates after the release.

Source: https://habr.com/ru/post/421167/



All Articles