Security researcher Chaio-Lin Yu (Steven Meow) has discovered multiple critical vulnerabilities in D-Link DSL6740C routers. After the findings, the company stated that it won’t release patches since these devices reached end-of-life status, leaving approximately 60,000 devices at risk.
The announcement follows D-Link’s similar response to a recently discovered NAS vulnerability (CVE-2024-10914), where the company also declined to patch affected devices due to EOL status.
Router Vulnerability Details
The most severe flaw, CVE-2024-11068 (CVSS 9.8), enables attackers to change passwords through privileged API access. Two additional vulnerabilities were identified: a path traversal flaw (CVE-2024-11067, CVSS 7.5) and a remote code execution vulnerability (CVE-2024-11066, CVSS 7.2).
The Taiwanese computer response center (TWCERTCC) also reported four high-severity command injection flaws affecting the same model, tracked as CVE-2024-11062 through CVE-2024-11065.
Impact Assessment
Most affected devices are located in Taiwan, with the model no longer available in the US market. BleepingComputer reports these routers reached EOL status nearly a year ago. Instead of providing security updates, D-Link recommends “retiring and replacing D-Link devices that have reached EOL/EOS.”
Required Actions
For users unable to immediately replace their routers:
- Disable remote access functionality
- Set strong access passwords
- Implement strict network controls
- Consider replacing them and avoid D-Link
Security Risk
Routers remain prime targets for attackers, serving as the gateways to both home and business networks. We keep iterating that no matter how good the security posture is on the smartphone, personal computer, or the network in general, the router is the first and the prime link in this security chain, that if it’s vulnerable, it can be the gate of entry for attacks.
Opinions
I honestly can’t wait until Cyber Resilience Act (CRA) kicks in with full speed, however we still have at least a couple more years to wait.
D-Link may need to change their approach to providing security updates, if they want not only to be conformant with the EU, but to avoid penalties that extend up to personal liabilities for the C-level executives as well.
This approach of just patching critical vulnerabilities up to a point doesn’t align with the CRA concept. Security must handle multiple checkpoints:
- Security-by-default architecture
- Zero known exploitable vulnerabilities at release
- Attack surface minimization
These are just a few of the requirements of CRA, and as of today, D-Link does not look like it meets any criteria other than the date when to stop providing critical updates.
Photo by Misha Feshchak on Unsplash.
Comments are closed.