16 D-Link routers with backdoor (CVE-2024-6045)

[madires]

D-Link forgot to remove the debugging backdoor (CVE-2024-6045):
- Taiwanese CERT: https://www.twcert.org.tw/en/cp-139-7880-629f5-2.html
- D-Link's Security Announcement: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10398
- affected routers: E15, E30, G403, G415, G416, M15, M18, M30, M32, M60, R03, R04, R12, R15, R18, R32

[Karel]

D-Link forgot to remove the debugging backdoor

How do you know that they didn't do it by purpose, hoping that nobody would notice?
Or do you simply assume that they are not evil?

[madires]

Most likely we'll never know. However, based on their track record I tend towards 'forgot to remove".

[Monkeh]

D-Link forgot to remove the debugging backdoor

How do you know that they didn't do it by purpose, hoping that nobody would notice?
Or do you simply assume that they are not evil?

Simple incompetence explains the behaviour of these companies adequately on many levels, not merely their security failings.

[Karel]

D-Link forgot to remove the debugging backdoor

How do you know that they didn't do it by purpose, hoping that nobody would notice?
Or do you simply assume that they are not evil?

Simple incompetence explains the behaviour of these companies adequately on many levels, not merely their security failings.

I'm not convinced. If it wasn't meant to stay, why did they try to hide it?

Certain models of D-Link wireless routers contain an undisclosed factory testing backdoor.
Unauthenticated attackers on the local area network can force the device to enable
Telnet service by accessing a specific URL and can log in by using the administrator
credentials obtained from analyzing the firmware.

[SiliconWizard]

Nice.
I really recommend installing OpenWrt on your router if your hardware is supported, anyway. If not having backdoors, the firmware of most routers are pumped full of telemetry and other crap.

[DiTBho]

If not having backdoors, the firmware of most routers are pumped full of telemetry and other crap.

direct experience: also fw based on uboot and redboot
Recompiling these firmware by removing crappy parts... it was not an easy or immediate thing

Who knows about Ubiquiti's and MikroTik's routers... 

[magic]

Maybe the company forgot, but the particular employee who added the backdoor actually wanted it

[raymond1234]

Hello all, I am the researcher who reported this vulnerability and I don't think it is being added on purpose, here's why:

• It can only be triggered from LAN-side, WAN-side attacker can not directly gain access to intranet without a open redirection via social engineering users inside intranet.
• The hidden backdoor is a code port of older models, which is previously reported (by another security researcher) but not patched properly due to EOL (end of lifecycle)

I have confirmed the patch after it had been released, the backdoor along with another path traversal vulnerability is removed, so panic not, it's a piece of legacy debug code existing there somehow.

[Kjelt]

Asus also needed to update their routers lately for CVE-2024-3079 en CVE-2024-3080 issues.
But older routers do not get a patch, I find that unacceptable.
The least they could do is bring out a new firmware with a big warning on the login page that the router is unsecure.

[madires]

Most manufacturers provide updates/patches only for two or three years before EOL-ing the router. They want you to buy a new device to make money. For long term support I'd recommend to get routers which are supported by OpenWrt.

[Kjelt]

That is why EU legislation is so good. It forced Android phone makers to support security patches for several years.