Pulse Security Ltd - Security Advisory PSA-2020-005 D-Link DSL-2640B - Hard-coded privileged account Advisory Information -------------------- Published: 2020-03-28 Version: 1.0 Manufacturer: D-Link Affected Model: DSL-2640B Hardware version: B2 Firmware version: ver.4.01 (Europe) Potentially affected: - DSL-2640B, HW version B3 Discovered by: Cristofaro Mune - Pulse Security Ltd Vulnerability Details --------------------- Class: CWE-798: Use of Hard-coded credentials Public References: CVE-2020-9279 Platform: Successfully tested on D-Link DSL-2640B, HW version: B2, with the latest available firmware: EU_4.01B. Other models and/or firmware versions may be also affected. Background Information: D-Link DSL-2640B is an ADSL2/2+ router gateway that provides DSL, wireless, wired connectivity to local networks. The product has reached End-of-Life. No security patches or upgrades are currently provided by D-Link. Summary: An issue was discovered on D-Link DSL-2640B B2 EU_4.01B devices. A hard-coded account allows management-interface login with high privileges. The logged-in user can perform critical tasks and take full control of the device. Details: The cfm process running on the device implements the main web interface tasks and enforces user authentication during login. The authentication process relies on the library libpsi.so, which also provides the default credentials for the different account types: It is possible to log in the web interface of the device with the following account: username: user password: 00202b004720 Additionally, the same credentials can be used for logging into ftp, telnet and ssh services. The credentials are hard-coded in the libpsi.so library and cannot be replaced or removed, other than with a firmware update. Such credential are also visible in the GPL source code provided for the device. The source code package EU_DSL-2640B_EU_4[1].00_3-10-02-29_GPL.tar.gz can be downloaded from the following D-Link website: https://tsd.dlink.com.tw/gpl2008.asp The file asus_account.h at the location EU_DSL-2640B_EU_4[1].00_3-10-02-29_GPL/EU_DSL-2640B_EU_4.00_3-10-02-29_consumer/userapps/broadcom/cfm/inc, contains: #define ASUS_RMA_ACCOUNT_NAME "" #define ASUS_RMA_ACCOUNT_PASSWORD "" #define ASUS_ADMIN_ACCOUNT_NAME "admin" #define ASUS_ADMIN_ACCOUNT_PASSWORD "admin" #define ASUS_SUPPORT_ACCOUNT_NAME "admin" #define ASUS_SUPPORT_ACCOUNT_PASSWORD "admin" #define ASUS_USER_ACCOUNT_NAME "user" #define ASUS_USER_ACCOUNT_PASSWORD "00202b004720" Exploitability: The vulnerability is directly exploitable from any host connected to the LAN or WiFi interface. The vulnerabilty may be also exploited from an attacker on the Internet, by pivoting on a browser of a user connected to the LAN/WiFi interface. Impacts: An attacker can log remotely into the device by using the hard-coded credentials Full device control can be obtained and malicious firmware upload or changing security sensitive settings (e.g. DNS servers) can be achieved. Solutions & Workaround: Not available Additional Information ---------------------- Timeline (dd/mm/yy): 05/02/2020: Contacted D-Link 05/02/2020: Provided vulnerability details 05/02/2020: D-Link acknowledged receipt of the report 06/02/2020: D-Link "elevated the issues to R&D for investigation" 07/02/2020: Informed D-Link of planned disclosure at 30 days from initial contact, unless more time was required for a fix. 14/02/2020: Requested CVE to Mitre Root CNA 19/02/2020: Received assigned CVE from Mitre 22/02/2020: Communicated CVE number to D-Link. Status Update requested to D-Link. No response received 06/03/2020: Vulnerability publicly discussed at Nullcon 2020. 28/03/2020: This advisory.