D-Link routers carrying security hole which allows for remote code execution
However despite the threat, the company isn’t planning to release a security patch.
Why won’t D-Link fix it? Quite simply because the affected models – the DIR-652, DIR-655, DIR-866L and DHP-1565 – have passed their end-of-support deadline, so no longer get any fixes applied by the manufacturer.
The problem is an “unauthenticated command-injection vulnerability” (FG-VD-19-117 / CVE-2019-16920) according to security firm Fortinet.
A remote attacker can “send an arbitrary input to the device common gateway interface that could lead to common injection”, the company explains, and upon successfully implementing that, the attacker can subsequently retrieve the admin password, install a backdoor and basically wreak all manner of havoc.
Because this won’t ever be patched, if you own one of these D-Link routers, every time you go online you’re pretty much rolling the dice in terms of potentially being exploited (to maybe devastating effect).
So really the only sane solution is to upgrade your router to a new model.
Fortinet further notes: “The root cause of the vulnerability is due to the lack of a sanity check for arbitrary commands executed by the native system command execution, which is a typical security pitfall suffered by many firmware manufacturers.”
Unsportingly short support?
As Tom’s Guide, which spotted this, observed, one of the affected models, namely D-Link’s DIR-866L, was released in 2014 and only went out of support last year – so indeed it was only supported for four years, which seems a little thin. Particularly given that the DIR-655 was supported for 12 years…
What’s also slightly worrying is that Fortinet says the aforementioned four routers are definitely affected, but more models could potentially be hit by this security flaw. No other routers have been named yet, but it’s certainly worth bearing that in mind.
If this development has got you urgently seeking a new device, then check out our roundup of the best routers of 2019 for some inspiration.