Pulse Security Ltd - Security Advisory PSA-2020-004 D-Link DSL-2640B - Unauthenticated configuration reset Advisory Information -------------------- Published: 2020-03-28 Version: 1.0 Manufacturer: D-Link Affected Model: DSL-2640B Hardware version: B2 Firmware version: ver.4.01 (Europe) Potentially affected: - DSL-2640B, HW version B3 - DSL-2641B Discovered by: Cristofaro Mune - Pulse Security Ltd Vulnerability Details --------------------- Class: CWE-305: Authentication Bypass by Primary Weakness Public References: CVE-2020-9278 Platform: Successfully tested on D-Link DSL-2640B, HW version: B2, with the latest available firmware: EU_4.01B. Other models and/or firmware versions may be also affected. Background Information: D-Link DSL-2640B is an ADSL2/2+ router gateway that provides DSL, wireless, wired connectivity to local networks. The product has reached End-of-Life. No security patches or upgrades are currently provided by D-Link. Summary: Device can be reset to default configuration by accessing an unauthenticated URL. Details: The cfm process running on the device implements the main web interface tasks, such as URL parsing and authentication enforcement during login. No authentication is required when accessing the following URLs: - rebootinfo.cgi - ppppasswordinfo.cgi - qosqueue.cmd?action=savReboot - restoreinfo.cgi All the URLs above, when accessed, trigger administrative actions on the device. An attacker can reset the device configuration by accessing the URL: http:///restoreinfo.cgi No authentication is required for performing the action. The device default configuration is restored, including the default username and passwords (admin:admin). Similarly, an attacker can reboot the device with no limitation whatsoever, by accessing the URL http:///restoreinfo.cgi potentially causing a Denial-of-Service on the network infrastrcuture. Exploitability: The vulnerability is directly exploitable from any host connected to the LAN or WiFi interface. The vulnerabilty may be also exploited from an attacker on the Internet, by pivoting on a browser of a user connected to the LAN/WiFi interface. Impacts: Full device control can be obtained by a remote attacker, by resetting the device configuration and accessing the web interface. Malicious firmware upload or changing security sensitive settings (e.g. DNS servers) can be achieved. Solutions & Workaround: Not available Additional Information ---------------------- Timeline (dd/mm/yy): 05/02/2020: Contacted D-Link 05/02/2020: Provided vulnerability details 05/02/2020: D-Link acknowledged receipt of the report 06/02/2020: D-Link "elevated the issues to R&D for investigation" 07/02/2020: Informed D-Link of planned disclosure at 30 days from initial contact, unless more time was required for a fix. 14/02/2020: Requested CVE to Mitre Root CNA 19/02/2020: Received assigned CVE from Mitre 22/02/2020: Communicated CVE number to D-Link. Status Update requested to D-Link. No response received 06/03/2020: Vulnerability publicly discussed at Nullcon 2020. 28/03/2020: This advisory.