Digital security specialist Trustwave has discovered five new “credential leaking” vulnerabilities in several broadband routers from Comba and D-Link. Unfortunately, not all of these vulnerabilities have been patched “despite multiple outreach attempts” by the company to manufacturers.
All of the vulnerabilities appear to involve insecure storage of credentials, including three where cleartext credentials (i.e. sensitive information that has not been subjected to encryption) were available to any user with network access to the device.
The first finding affects the D-Link DSL-2875AL, a dual band wireless AC750 ADSL2+ modem. At least versions 1.00.01 & 1.00.05 are affected and likely others as well. That router model contains a password disclosure vulnerability in the file romfile.cfg, which is available to anyone with access to the web-based management IP address and does not require any authentication.
The second D-Link finding affects the same model DSL-2875AL and also the DSL-2877AL. Anyone looking at the source code of the router login page would see the following lines:
var username_v = ‘<%TCWebApi_get(“Wan_PVC”,”USERNAME”,”s”)%>’;
var password_v = ‘<%TCWebApi_get(“Wan_PVC”,”PASSWORD”,”s”)%>’;
The username & password listed there are used by the user to connect to his/her broadband ISP. This could allow an attacker to access the ISP account or the router itself if the admins reused the same credentials. You can read more about these advisories here.
Comba Telecom Vulnerabilities
Next up we have the Comba AC2400 Wi-Fi Access Controller. An unauthenticated request for the URL “https://[router ip address]/09/business/upgrade/upcfgAction.php?download=true” results in saving a configuration file DBconfig.cfg, although the credentials are stored at the end of that file in the following format:
That string in the middle, “61d217fd8a8869f6d26887d298ce9a69”, is an MD5 hash (encrypted) of the password to the device (in this case “trustwave”). MD5 hashes are often easy to reverse, especially for simple or common passwords. If SSH/Telnet is enabled this could lead to full takeover of the file system of the device.
The second and third findings affects the Comba AP2600-I WiFi Access Point (version A02,0202N00PD2). In the first case you only need to look at the source code of the web-based management login page. You’ll find entries like the following:
<input id=”md5UserName” name=”md5UserName” type=”hidden” value=”c3284d0f94606de1fd2af172aba15bf3″ />
<input id=”md5Password” name=”md5Password” type=”hidden” value=”cf53f2575640f4b8e4b68947671c8608″ />
The value field is double md5 of the plaintext username and password for the Access Point (in this example – “admin” and “trustwave“). This would look like this: md5(md5(value)) and just because md5 is used twice, that doesn’t make it that much harder to reverse.
Finally, in the same model AP2600-I WiFi Access Point you can load https://[router ip address]/goform/downloadConfigFile without having to authenticate. This will result in downloading a file named femtoOamStore.db. The file is a sqlite database file and the username and password are stored in plain text. You can read more about these advisories here.
Unfortunately, there is not much in the way of mitigating the Comba Telcom findings. After reaching out multiple times, Comba Telcom was simply unresponsive.
D-Link’s response to these findings was confusing and unfortunately very typical for organizations that are not set up to accept security problems from third party researchers like Trustwave SpiderLabs. After an initial response confirming receipt and escalation for these findings, they claimed they were unable to escalate the issue with their R&D group within the 90-day window outlined in our Responsible Disclosure policy. We provided them a rather lengthy extension to that window, but they eventually simply stopped responding entirely.
However, days before releasing these advisories, D-Link provided information that the issues have been fixed. While it’s always good to hear that vulnerabilities have been patched (that is our goal after all) it sometimes takes the leverage of full disclosure to force organizations to scramble to do in one week what nine months of good faith outreach could not.
Anybody who owns the aforementioned D-Link routers might thus wish to download and flash the new firmware (DSL-2875AL = Firmware v1.00.08AU 20161011 and DSL-2877AL = Firmware 1.00.20AU 20180327). Otherwise Trustwave recommends that users of these routers and access points may want to use internal filtering controls or a separate filtering device, like a firewall, to limit access to the web-based management of these routers to only a small set of authorized IP addresses.