Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Multiple Vulnerabilities in Comba and D-Link Routers

Overview

There are five new credential leaking vulnerabilities discovered and disclosed by Simon Kenin. Two are in a D-Link DSL modem typically installed to connect a home network to an ISP. The other three are in multiple Comba Telecom WiFi devices. All the vulnerabilities involve insecure storage of credentials including three where cleartext credentials available to any user with network access to the device.

Since your router is the gateway in and out of your entire network it can potentially affect every user and system on that network. Unfortunately none of these vulnerabilities have been patched despite multiple outreach attempts to both D-Link and Comba from the disclosure team.

Vulnerabilities Details

While performing research on potential router vulnerabilities, Trustwave SpiderLabs Security Researcher, Simon Kenin, uncovered multiple credential vulnerabilities in some models of D-Link and Comba routers. Unfortunately, these types of vulnerabilities are more common than they should be as Simon previously reported on a similar vulnerability in Netgear (CVE-2017-5521) as have other Trustwave SpiderLabs Security Researchers over the years in Netgear and Humax routers.

D-Link Vulnerabilities

First let's look at the issues with the D-Link routers.

Simon's first finding affects the D-Link DSL-2875AL, a dual band wireless AC750 ADSL2+ modem. At least versions 1.00.01 & 1.00.05 are affected and likely others as well as he was unable to test all versions. That router model contains a password disclosure vulnerability in the file romfile.cfg. This file is available to anyone with access to the web-based management IP address and does not require any authentication. The path to the file is https://[router ip address]/romfile.cfg and the password is stored in clear text there.

The second D-Link finding affects the same model DSL-2875AL and also the DSL-2877AL. Anyone looking at the source code of the router login page (https://[router ip address]/index.asp) you would see the following lines:

var username_v = '<%TCWebApi_get("Wan_PVC","USERNAME","s")%>';
var password_v = '<%TCWebApi_get("Wan_PVC","PASSWORD","s")%>';

The username & password listed there are used by the user to connect to his/her ISP. This could allow an attacker to access the ISP account or the router itself if they admins reused the same credentials. You can read more about these advisories here: https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=26165

Comba Telecom Vulnerabilities

Simon also discovered three separate credential vulnerabilities in Comba brand routers.

The first finding is in the Comba AC2400 Wi-Fi Access Controller. An unauthenticated request for the URL https://[router ip address]/09/business/upgrade/upcfgAction.php?download=true results in saving a configuration file DBconfig.cfg. Credentials are stored at the end of that file in the following format:

#**#admin#**#system#**#61d217fd8a8869f6d26887d298ce9a69#**#0#**#3#**#2#**#2#**#2017-01-01#**#forever

That string in the middle, "61d217fd8a8869f6d26887d298ce9a69", is an MD5 hash of the password to the device (in this case "trustwave"). MD5 hashes are often easy to reverse, especially for simple or common passwords. If SSH/Telnet is enabled this could lead to full takeover of the filesystem of the device.

The second and third findings affect the Comba AP2600-I WiFi Access Point (version A02,0202N00PD2). In the first case you only need to look at the source code of the web-based management login page. You'll find entries like the following:

<input type="hidden" id="md5UserName" name="md5UserName" value="c3284d0f94606de1fd2af172aba15bf3">
<input type="hidden" id="md5Password" name="md5Password" value="cf53f2575640f4b8e4b68947671c8608">

The value field is double md5 of the plaintext username and password for the Access Point (in this case "admin" and "trustwave"). This would look like this: md5(md5(value)) and just because md5 is used twice, that doesn't make it that much harder to reverse.

Finally, in the same model AP2600-I WiFi Access Point you can load https://[router ip address]/goform/downloadConfigFile without having to authenticate. This will result in downloading a file named femtoOamStore.db. The file is a sqlite database file and the username and password are stored in plain text in a table named "TABLE_SERVICE_INF".

You can read more about these advisories here: https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=26164

Summary

These types of router vulnerabilities are very serious. Since your router is the gateway in and out of your entire network it can potentially affect every user and system on that network. An attacker-controlled router can manipulate how your users resolve DNS hostnames to direct your users to malicious websites. An attacker-controlled router can deny access in and out of the network perhaps blocking your users from accessing important resources or blocking customers from accessing your website. We have even seen instances of attacker-controlled routers manipulating web traffic to embed their own content. About a year ago, Simon discovered that unpatched Mikrotik routers were being used to embed cryptojacking scripts in all web traffic passing through them.

Unfortunately, there is not much in the way of mitigating the Comba Telcom findings. After reaching out multiple times, Comba Telcom was simply unresponsive.

D-Link’s response to these findings was confusing and unfortunately very typical for organizations that are not set up to accept security problems from third party researchers like Trustwave SpiderLabs. After an initial response confirming receipt and escalation for these findings, they claimed they were unable to escalate the issue with their R&D group within the 90-day window outlined in our Responsible Disclosure policy. We provided them a rather lengthy extension to that window, but they eventually simply stopped responding entirely.

However, days before releasing these advisories, D-Link provided information that the issues have been fixed. While it’s always good to hear that vulnerabilities have been patched (that is our goal after all) it sometimes takes the leverage of full disclosure to force organizations to scramble to do in one week what nine months of good faith outreach could not.

We have been unable to verify if these fixes actually resolve the issue. But the links are available as follows:

DSL-2875AL :: Firmware v1.00.08AU 20161011 :: http://files.dlink.com.au/products/DSL-2875AL/REV_A/Firmware/Firmware_v1.00.08AU_20161011/DSL2875ALA1_FW1.00.08AU_20161011.bin

DSL-2877AL ::  Firmware 1.00.20AU 20180327 :: http://files.dlink.com.au/products/DSL-2877AL/REV_A/Firmware/Firmware_1.00.20AU_20180327/DSL2877ALA1_FW1.00.20AU_20180327.bin

Users of these routers and access points will want to verify that they are on the most recent firmware and may want to use internal filtering controls or a separate filtering device like a firewall to limit access to the web-based management of these devices to only a small set of authorized IP addresses.

About the Author

Karl Sigler is Security Research Manager, SpiderLabs Threat Intelligence at Trustwave. Karl is a 20-year infosec veteran responsible for research and analysis of current vulnerabilities, malware and threat trends at Trustwave. Follow Karl on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo