Overview
There are five new credential leaking vulnerabilities discovered and disclosed by Simon Kenin. Two are in a D-Link DSL modem typically installed to connect a home network to an ISP. The other three are in multiple Comba Telecom WiFi devices. All the vulnerabilities involve insecure storage of credentials including three where cleartext credentials available to any user with network access to the device.
Since your router is the gateway in and out of your entire network it can potentially affect every user and system on that network. Unfortunately none of these vulnerabilities have been patched despite multiple outreach attempts to both D-Link and Comba from the disclosure team.
Vulnerabilities Details
While performing research on potential router vulnerabilities, Trustwave SpiderLabs Security Researcher, Simon Kenin, uncovered multiple credential vulnerabilities in some models of D-Link and Comba routers. Unfortunately, these types of vulnerabilities are more common than they should be as Simon previously reported on a similar vulnerability in Netgear (CVE-2017-5521) as have other Trustwave SpiderLabs Security Researchers over the years in Netgear and Humax routers.
D-Link Vulnerabilities
First let's look at the issues with the D-Link routers.
Simon's first finding affects the D-Link DSL-2875AL, a dual band wireless AC750 ADSL2+ modem. At least versions 1.00.01 & 1.00.05 are affected and likely others as well as he was unable to test all versions. That router model contains a password disclosure vulnerability in the file romfile.cfg. This file is available to anyone with access to the web-based management IP address and does not require any authentication. The path to the file is https://[router ip address]/romfile.cfg and the password is stored in clear text there.
The second D-Link finding affects the same model DSL-2875AL and also the DSL-2877AL. Anyone looking at the source code of the router login page (https://[router ip address]/index.asp) you would see the following lines:
var username_v = '<%TCWebApi_get("Wan_PVC","USERNAME","s")%>';
var password_v = '<%TCWebApi_get("Wan_PVC","PASSWORD","s")%>';
The username & password listed there are used by the user to connect to his/her ISP. This could allow an attacker to access the ISP account or the router itself if they admins reused the same credentials. You can read more about these advisories here: https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=26165
Comba Telecom Vulnerabilities
Simon also discovered three separate credential vulnerabilities in Comba brand routers.
The first finding is in the Comba AC2400 Wi-Fi Access Controller. An unauthenticated request for the URL https://[router ip address]/09/business/upgrade/upcfgAction.php?download=true results in saving a configuration file DBconfig.cfg. Credentials are stored at the end of that file in the following format:
#**#admin#**#system#**#61d217fd8a8869f6d26887d298ce9a69#**#0#**#3#**#2#**#2#**#2017-01-01#**#forever
That string in the middle, "61d217fd8a8869f6d26887d298ce9a69", is an MD5 hash of the password to the device (in this case "trustwave"). MD5 hashes are often easy to reverse, especially for simple or common passwords. If SSH/Telnet is enabled this could lead to full takeover of the filesystem of the device.
The second and third findings affect the Comba AP2600-I WiFi Access Point (version A02,0202N00PD2). In the first case you only need to look at the source code of the web-based management login page. You'll find entries like the following:
<input type="hidden" id="md5UserName" name="md5UserName" value="c3284d0f94606de1fd2af172aba15bf3">
<input type="hidden" id="md5Password" name="md5Password" value="cf53f2575640f4b8e4b68947671c8608">
The value field is double md5 of the plaintext username and password for the Access Point (in this case "admin" and "trustwave"). This would look like this: md5(md5(value)) and just because md5 is used twice, that doesn't make it that much harder to reverse.
Finally, in the same model AP2600-I WiFi Access Point you can load https://[router ip address]/goform/downloadConfigFile without having to authenticate. This will result in downloading a file named femtoOamStore.db. The file is a sqlite database file and the username and password are stored in plain text in a table named "TABLE_SERVICE_INF".
You can read more about these advisories here: https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=26164
Summary
These types of router vulnerabilities are very serious. Since your router is the gateway in and out of your entire network it can potentially affect every user and system on that network. An attacker-controlled router can manipulate how your users resolve DNS hostnames to direct your users to malicious websites. An attacker-controlled router can deny access in and out of the network perhaps blocking your users from accessing important resources or blocking customers from accessing your website. We have even seen instances of attacker-controlled routers manipulating web traffic to embed their own content. About a year ago, Simon discovered that unpatched Mikrotik routers were being used to embed cryptojacking scripts in all web traffic passing through them.
Unfortunately, there is not much in the way of mitigating the Comba Telcom findings. After reaching out multiple times, Comba Telcom was simply unresponsive.
D-Link’s response to these findings was confusing and unfortunately very typical for organizations that are not set up to accept security problems from third party researchers like Trustwave SpiderLabs. After an initial response confirming receipt and escalation for these findings, they claimed they were unable to escalate the issue with their R&D group within the 90-day window outlined in our Responsible Disclosure policy. We provided them a rather lengthy extension to that window, but they eventually simply stopped responding entirely.
However, days before releasing these advisories, D-Link provided information that the issues have been fixed. While it’s always good to hear that vulnerabilities have been patched (that is our goal after all) it sometimes takes the leverage of full disclosure to force organizations to scramble to do in one week what nine months of good faith outreach could not.
We have been unable to verify if these fixes actually resolve the issue. But the links are available as follows:
DSL-2875AL :: Firmware v1.00.08AU 20161011 :: http://files.dlink.com.au/products/DSL-2875AL/REV_A/Firmware/Firmware_v1.00.08AU_20161011/DSL2875ALA1_FW1.00.08AU_20161011.bin
DSL-2877AL :: Firmware 1.00.20AU 20180327 :: http://files.dlink.com.au/products/DSL-2877AL/REV_A/Firmware/Firmware_1.00.20AU_20180327/DSL2877ALA1_FW1.00.20AU_20180327.bin
Users of these routers and access points will want to verify that they are on the most recent firmware and may want to use internal filtering controls or a separate filtering device like a firewall to limit access to the web-based management of these devices to only a small set of authorized IP addresses.
