D-Link router remote code execution vulnerability will not be patched

Researchers have publicly disclosed the existence of a severe remote code execution vulnerability in a range of D-Link routers. 

Last week, Fortinet’s FortiGuard Labs said the vulnerability at the heart of the issue, tracked as CVE-2019-16920, was discovered in September 2019. 

According to the Fortinet researcher Thanh Nguyen Nguyen, the unauthenticated command injection vulnerability impacts D-Link firmware in the DIR-655, DIR-866L, DIR-652, and DHP-1565 product lines. 

The vulnerability is described as an RCE prompted by attackers sending arbitrary input to a “PingTest” gateway interface, leading to command injection and full system compromise. The critical bug has been issued a CVSS v3.1 base score of 9.8 and a CVSS v2.0 base score of 10.0. 

See also: D-Link to undergo security audits for 10 years as part of FTC settlement

In order to trigger the security flaw, Fortinet says attackers can perform a login action remotely that is poorly authenticated. 

The bad authentication check allows code to execute whether or not a user has the privilege to do so, for a POST HTTP Request via PingTest to be sent, and for attackers to either grab administrator credentials or install a backdoor. 

The security researchers disclosed their findings to D-Link on September 22. Within 24 hours the hardware vendor had confirmed the vulnerability, and three days later, D-Link said that as the products are at End of Life (EOL) support, no patch will be released. 

CNET: Renewed calls for backdoor access to encryption have all the same flaws

Given the age of these routers, it is not surprising that D-Link has chosen not to issue a fix. Our devices — and their firmware — all have an expiry date and eventually support does end, and therefore users of these routers should consider replacing their aging products to mitigate the risk of exploit. 

However, not every security-related decision D-Link has ever made can necessarily be considered reasonable. 

TechRepublic: How to create and export a GPG keypair on macOS

In related news, D-Link recently agreed to a settlement with the US Federal Trade Commission (FTC) to lay to rest accusations of failing to tackle vulnerability reports and misrepresenting the security of its products. 

As part of the agreement, the vendor will create a new security program for routers and Internet-connected products, and will also submit to security audits for the next ten years. 

ZDNet has reached out to D-Link for comment and will update if we hear back.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0