Security Week 26: Vulnerabilities in D-Link and Netgear Routers
Let’s start with D-Link: the problem was found in the DIR-865L model (news, study, newsletter manufacturer). In total, six vulnerabilities were discovered that, individually or in a specific combination, allow you to take control of a device.
All holes require presence on the local network. For example, in the web interface for exchanging files, credentials are transmitted in clear text – they can be intercepted and, after modifying the user id, used to access password-protected documents. In a similar way, you can get into the basic settings of the router by exploiting the vulnerability in a web server or by intercepting the “unique” cookies of the current owner generated by a weak algorithm. An attack will require one more step, but rather simple: convince the user to click on a special link in the browser.
Vulnerabilities in Netgear routers cover a large number of devices – 79 models (news, study, Another study) Researcher Adam Nichols from Grimm discovered a problem by analyzing firmware for R7000 series routers.
The code above refers to the firmware update scheme of the router. Inadequate verification of user input leads to buffer overflows and in theory entails the execution of arbitrary code. Result in Nichols’ PoC report: router settings are available via telnet without a password. Stack cookies would help to eliminate the possibility of exploiting such a vulnerability, but there is no such design in the firmware of the studied router. Moreover, in the Netgear D8500 router, according to Nichols, there was a mechanism complicating the exploitation of vulnerabilities like “buffer overflow”, but it was excluded from the code.
In these examples, model release dates and manufacturers’ reactions are interesting. The D-Link developers consider the DIR-865L model to be outdated and do not deliver updates, although they still released a “beta version” of the firmware, which partially covers the vulnerabilities discovered. Regarding Netgear routers (list), information about vulnerabilities was passed to the vendor in January, but at the time of publication there was no solution.
The D-Link router was released in 2015, and its support continued until 2018. Among affected Netgear devices, there is a model AC1450 2016 release, although an analysis of the firmware indicates the presence of a vulnerability back in 2007. In any case, we are talking about completely modern devices, and not about a ten-year-old modem, which is high time to change.
The three-year D-Link support cycle is longer than the typical two-year delivery period for updates for smartphones, but for such long-lived pieces of hardware it still comes out too little. It turns out an interesting situation: tens of thousands of devices are quite happy with their owners, but they have security holes, with which the vendor is having trouble fixing it.
What else happened:
Google developers continue to experiment with hiding the full URL in the address bar of the Chrome browser (article on Arstechnica, discussion on Habré). In the version of Chrome 85, a flag appeared that displays only the visited domain, without details. In addition, moderators have removed over a hundred extensions from the Chrome Web Store directory. These are mainly file converters, all of which were created by one developer and were used to steal data and lead users to malicious sites.
VICE Edition resemblesthat you can’t lose the phone number to which the accounts of instant messengers or other services are tied. The author of the article purchased a new SIM card and accidentally gained access to the WhatsApp messenger of the previous owner of the number. Conclusion: if the number is not used, it is advisable to “rewrite” the service accounts somewhere else.
Summed up competition Deepfake Detection Challenge, organized by Facebook, Google, Amazon and others. Participants were asked to come up with a solution that could distinguish real videos from fake ones created using neural networks. To train the models, we created a database of 100 thousand edited videos recorded by professional actors. The results are so-so: on the test base, the best algorithm detected fakes in 82% of cases, but when using the control base, the result dropped to 65%. This level is unacceptable for automated fake video detection systems.
After a recent heated discussion, the Zoom web conferencing service is still will provide end-to-end encryption function for all customers, not just paid ones.
Adobe released unscheduled update for a number of its products, including Premiere and Illustrator.
Partially in the USA disclosed The results of an investigation by the CIA after a massive leak (known as Vault 7) of cyber attack tools in 2016. The report was reviewed in detail in article The Washington Post. In short, security among tech-intelligence officers was not provided at the proper level – down to a single password for access to secret data, which almost everyone knew.