Security researcher has discovered ten zero-day vulnerabilities in D-link 850L wireless routers. D-Link is a Taiwan-based networking equipment manufacturer company which leave users open to cyber attacks.
Security researcher Pierre Kim discovered zero-day vulnerabilities in D-Link DIR 850L wireless routers, last year Kim also reported several flaws in D-Link DWR-932B LTE router but as per him the company ignored the issues.
The following vulnerabilities are:
- Lack of proper firmware protection
- Cross-site scripting (XSS)
- Retrieve admin passwords both LAN and WAN
- Weak cloud protocol
- Backdoor Access
- Private keys hardcoded in the firmware
- No authentication check
- Weak files permission and credentials stored in cleartext
- Pre-Authentication RCEs
- Denial of Service (DoS)
The following CVE's are:
- CVE-2016-10177 for #1
- (Backdoor accounts)
- CVE-2016-10178 for #2
- (Backdoor)
- CVE-2016-10179 for #3
- (hardcoded WPS PIN)
- CVE-2016-10180 for #4
- (WPS PIN generation based on srand(time(0)) seeding)
- CVE-2016-10181 for #5
- (qmiweb leaks information)
- CVE-2016-10182 for #6
- (qmiweb allows command injection with ` characters)
- CVE-2016-10183 for #7
- (qmiweb allows directory listing with ../ traversal)
- CVE-2016-10184 for #8
- (qmiweb allows file reading with ..%2f traversal)
- CVE-2016-10185 for #9
- (A secure_mode=no line exists in /var/miniupnpd.conf)
- CVE-2016-10186 for #10
- (/var/miniupnpd.conf has no deny rules)
About Author
Hi, My Name is Hafeez. I am a webdesigner, blogspot developer and UI designer. I am a certified Themeforest top contributor and popular at JavaScript engineers. We have a team of professinal programmers, developers work together and make unique blogger templates.