Vulnerabilities

Secure your D-Link & Comba routers’ passwords; critical vulnerability found

Web application security specialists have discovered a set of vulnerabilities in D-Link and Comba WiFi routers that, if exploited, could leak the passwords of the owners. The researchers, from security firm Trustwave, discovered these five flaws, which could be considered critical.  

Experts discovered two flaws in the firmware of
D-Link
DSL-2875AL and DSL-2877AL wireless routers. The first vulnerability exposes a
configuration file that stores the device administrator’s password, exposing it
to any unauthenticated user.

“More than a vulnerability, the second one
is a company’s oversight,” the web application security expert report
mentions. In this scenario, the source code on the router login page exposes
the Internet service provider’s user name and password in plain text. The
company has already released firmware updates for vulnerable models.

Although the researchers reported the company
in a timely manner about these flaws, D-Link did not announce any action until
experts expressed interest in publicly disclosing the finding of the
vulnerabilities, this after the end of the stipulated time for the company to
correct its flaws. “While D-Link’s initial response wasn’t encouraging at
all, the vulnerabilities have already been fixed,” the experts added.

On the other hand, web application security
experts, led by researcher Simon Kenin, discovered three security
vulnerabilities in Comba AC2400 and AP2600 access controllers. “The first
of these failures involves the plain text storage of MD5 passwords, only the IP
address
of a vulnerable device is required to access this
information”, the report mentions.

Meanwhile, AP2600 stores the MD5 hash password
in both the login web page feed and a configuration file, both accessible to
anyone who knows the router’s IP address, experts say.

Although both companies reserved the right to
make some clarification on these findings, updates to address these security
flaws are already available. International Institute of Cyber Security (IICS)
web application security specialists recommend administrators of these devices
upgrade to the latest software versions to mitigate the risk of exploiting
these devices vulnerabilities.

To Top

Pin It on Pinterest

Share This