D-Link issued fixes on Monday for flaws that could allow remote access to one of its routers, and will patch several other models in the coming week.
The vulnerabilities were found by Peter Adkins, a systems engineer in Canada who said he alerted the company to the issues in early January and decided to publicize them last week after falling out of contact with D-Link.
D-Link acknowledges Adkins’ findings in its advisory, which included three new firmware versions for its DIR-820L router. The company expects to release firmware updates in the next week for the DIR-626L, DIR-636L, DIR-808L, DIR-810L, DIR-826L, DIR-830L and DIR-836L.
The most serious flaw Adkins found is a cross-site request forgery vulnerability (CSRF). A service running on the DIR-820L that handles dynamic requests such as updating usernames and passwords can be accessed if a victim can be lured to a malicious webpage, according to Adkins’ writeup.
The attacker would then have full control over a router and could change its DNS (Domain Name System) settings or launch a telnet service, among other misdeeds.
Adkins found other problems, too, one of which could allow unauthenticated access to the router if remote management is enabled. Another flaw allowed him to upload a file that would overwrite the router’s DNS settings.
D-Link said some attacks can be blocked by disabling a remote management feature that can provide access to a router’s settings. The capability is turned off by default, the company said.