Multiple Vulnerabilities in D-Link, Comba Routers, Warns Trustwave

A security researcher from Trustwave has gone public about flaws found in a number of routers from D-Link and Comba, which have failed to act on the warnings.

The flaws are so serious that they could allow for usernames and passwords stored on the router to be compromised by outside parties.

Router flaws are potentially dangerous, as the device acts as a Internet gateway for the individual networks of homes and businesses, and all the users and devices using that network are potentially vulnerable. An attacker-controlled router could for example manipulate how users resolve DNS hostnames to direct users to malicious websites.

D-Link flaws

Trustwave said it had gone public as “none of these vulnerabilities have been patched despite multiple outreach attempts to both D-Link and Comba from the disclosure team.”

There are five new credential leaking vulnerabilities discovered and disclosed by Simon Kenin,” blogged Trustwave. “Two are in a D-Link DSL modem typically installed to connect a home network to an ISP. The other three are in multiple Comba Telecom WiFi devices. All the vulnerabilities involve insecure storage of credentials including three where cleartext credentials available to any user with network access to the device.

Simon Kenin is a Trustwave SpiderLabs security researcher, and he has previously uncovered flaws with Netgear and Humax routers.

Kenin found an issue with the D-Link DSL-2875AL, a dual band wireless AC750 ADSL2+ modem.

The flaw with this router model concerns a password disclosure vulnerability in the file romfile.cfg. This file is available to anyone with access to the web-based management IP address and does not require any authentication.

The second flaw also affects the same model DSL-2875AL, as well as the DSL-2877AL model. Kenin warned that anyone looking at the source code of the router login page could see the username and password listed there.

“This could allow an attacker to access the ISP account or the router itself if they admins reused the same credentials,” he warned.

Comba flaws

Meanwhile Kenin also discovered three separate credential vulnerabilities in Comba brand routers.

The first flaw is in the Comba AC2400 Wi-Fi Access Controller, where an unauthenticated request for the URL results in saving a configuration file DBconfig.cfg. Credentials are stored at the end of that file.

The second and third flaw affects the Comba AP2600-I WiFi Access Point, where a person only needs to look at the source code of the web-based management login page to find password and usernames

The same model AP2600-I WiFi Access Point also allows a person to load a webpage without having to authenticate. This will result in downloading a file named femtoOamStore.db, which stored the username and password in plain text.

Shoddy response

“These types of router vulnerabilities are very serious,” said Trustwave, which lamented the response of both Comba and D-Link. The latter at least finally patched the flaws.

“Unfortunately, there is not much in the way of mitigating the Comba Telcom findings,” warned Trustwave. “After reaching out multiple times, Comba Telcom was simply unresponsive.”

“D-Link’s response to these findings was confusing and unfortunately very typical for organisations that are not set up to accept security problems from third party researchers like Trustwave SpiderLabs,” it said.

“After an initial response confirming receipt and escalation for these findings, they claimed they were unable to escalate the issue with their R&D group within the 90-day window outlined in our Responsible Disclosure policy,” Trustwave said. “We provided them a rather lengthy extension to that window, but they eventually simply stopped responding entirely.”

Thankfully after nine months of trying to get a response, D-Link fixed the flaws days before Trustwave released the advisories.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago