Multiple Vulnerabilities in D-Link, Comba Routers, Warns Trustwave

A security researcher from Trustwave has gone public about flaws found in a number of routers from D-Link and Comba, which have failed to act on the warnings.

The flaws are so serious that they could allow for usernames and passwords stored on the router to be compromised by outside parties.

Router flaws are potentially dangerous, as the device acts as a Internet gateway for the individual networks of homes and businesses, and all the users and devices using that network are potentially vulnerable. An attacker-controlled router could for example manipulate how users resolve DNS hostnames to direct users to malicious websites.

D-Link flaws

Trustwave said it had gone public as “none of these vulnerabilities have been patched despite multiple outreach attempts to both D-Link and Comba from the disclosure team.”

There are five new credential leaking vulnerabilities discovered and disclosed by Simon Kenin,” blogged Trustwave. “Two are in a D-Link DSL modem typically installed to connect a home network to an ISP. The other three are in multiple Comba Telecom WiFi devices. All the vulnerabilities involve insecure storage of credentials including three where cleartext credentials available to any user with network access to the device.

Simon Kenin is a Trustwave SpiderLabs security researcher, and he has previously uncovered flaws with Netgear and Humax routers.

Kenin found an issue with the D-Link DSL-2875AL, a dual band wireless AC750 ADSL2+ modem.

The flaw with this router model concerns a password disclosure vulnerability in the file romfile.cfg. This file is available to anyone with access to the web-based management IP address and does not require any authentication.

The second flaw also affects the same model DSL-2875AL, as well as the DSL-2877AL model. Kenin warned that anyone looking at the source code of the router login page could see the username and password listed there.

“This could allow an attacker to access the ISP account or the router itself if they admins reused the same credentials,” he warned.

Comba flaws

Meanwhile Kenin also discovered three separate credential vulnerabilities in Comba brand routers.

The first flaw is in the Comba AC2400 Wi-Fi Access Controller, where an unauthenticated request for the URL results in saving a configuration file DBconfig.cfg. Credentials are stored at the end of that file.

The second and third flaw affects the Comba AP2600-I WiFi Access Point, where a person only needs to look at the source code of the web-based management login page to find password and usernames

The same model AP2600-I WiFi Access Point also allows a person to load a webpage without having to authenticate. This will result in downloading a file named femtoOamStore.db, which stored the username and password in plain text.

Shoddy response

“These types of router vulnerabilities are very serious,” said Trustwave, which lamented the response of both Comba and D-Link. The latter at least finally patched the flaws.

“Unfortunately, there is not much in the way of mitigating the Comba Telcom findings,” warned Trustwave. “After reaching out multiple times, Comba Telcom was simply unresponsive.”

“D-Link’s response to these findings was confusing and unfortunately very typical for organisations that are not set up to accept security problems from third party researchers like Trustwave SpiderLabs,” it said.

“After an initial response confirming receipt and escalation for these findings, they claimed they were unable to escalate the issue with their R&D group within the 90-day window outlined in our Responsible Disclosure policy,” Trustwave said. “We provided them a rather lengthy extension to that window, but they eventually simply stopped responding entirely.”

Thankfully after nine months of trying to get a response, D-Link fixed the flaws days before Trustwave released the advisories.

Do you know all about security? Try our quiz!