Operating System:

[Appliance]

Published:

08 July 2014

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2014.1095 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1095
  DWR-113 Rev. Ax - CSRF causing Denial of Service - FW v. 2.02 or older
                                8 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           D-Link DWR-113 Rev. Ax firmware
Publisher:         D-Link
Operating System:  Network Appliance
Impact/Access:     Cross-site Request Forgery -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3136  

Original Bulletin: 
   http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10034

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Advisories > SAP10034

DWR-113 Rev. Ax - CSRF causing Denial of Service - FW v. 2.02 or older

Publication ID: SAP10034

Resolved Status: Yes

Published on: 2 July 2014 4:34 GMT

Last updated on: 2 July 2014 4:43 GMT

Overview

The DWR-113 Rev. Ax firmware 2.02 and older is susceptible to CSRF 
vulnerability, which allow an attacker to forge HTML forms and execute actions
in an authorized (logged in) browser session. These vulnerabilities allows an 
attacker to perform denail of service exploits that may cause the device to be
unreliable

D-Link Security Incident Reponse Policy

All public communication on this issue will be offered at 
http://securityadvisories.dlink.com/security/

Our security response team can be contacted for incident information or to 
report incidents at security@dlink.com

Any non-critical security issue, help in updating firmware, or configuration 
regarding this issue please contact your D-Link Customer care channel.

Reference

Author - Blessen Thomas - blessenthomas75@gmail.com

CVE-2014-3136

General Disclosure

Security and performance is of the utmost importance to D-Link across all 
product lines. This is not just through the development process but also 
through regular firmware updates to comply with the current safety and quality 
standards. We are proactively working with the sources of these reports as well
as continuing to review across the complete product line to ensure that the 
vulnerabilities discovered are addressed.  We will continue to update this page 
to include the relevant product firmware updates addressing these concerns. 
In the meantime, you can exercise the below cautions to avoid unwanted 
intrusion into your D-Link product.

Immediate Recommendations for all D-Link router customers
     
Do not enable the Remote Management feature since this will allow malicious 
users to use this exploit from the internet.  Remote Management is default 
disabled on all D-Link Routers and is included for customer care 
troubleshooting if useful and the customer enables it.

If you receive unsolicited e-mails that relates to security vulnerabilities
and prompt you to action, please ignore it. When you click on links in such 
e-mails, it could allow unauthorised persons to access your router. Neither 
D-Link nor its partners and resellers will send you unsolicited messages 
where you are asked to click or install something.

Make sure that your wireless network is secure.

Do not provide your admin password to anyone. If required we suggest updating
the password frequently.

Description

We encourage you to contact the author for further infomation at 
blessenthomas75@gmail.com. The other can provide furhter details.

In order to avoid miscommunication  the following is taken directly from the 
authors report:

It was observed that the D-link DWR-113 wireless router is vulnerable to 
denial of service attack via CSRF(Cross-Site Request Forgery) vulnerability.

An attacker could craft a malicious CSRF exploit to change the password in the
password functionality when the user(admin) is logged in to the application 
,as the user interface (admin panel) lacks the csrf token or nonce to prevent 
an attacker to change the password.

Attacker can manipulate user data via sending him malicious crafted url.

As a result, as soon as the crafted malicious exploit is executed the router 
is rebooted and the user is forced to wait for a few minutes so that the 
changes could be made in the settings of the router.

Now it is observed that even though the attacker's password doesn't work , 
neither does the user's current password work and the user tries a lot to get
logged to the interface admin panel of the router using the user's current 
password.

Finally the user is forced to reset the router's device physically, thus 
leading to a denial of service condition.

Every time the user is forced to reset the device manually which is a 
cumbersome process.

Proof of Concept code (exploit)

Restart Router by CSRF

<html>
  <!-- CSRF PoC --->
  <body>
    <form action="http://192.168.0.1/rebo.htm">
      <input type="hidden" name="S00010002" value="test" />
      <input type="hidden" name="np2" value="test" />
      <input type="hidden" name="N00150004" value="0" />
      <input type="hidden" name="N00150001" value="" />
      <input type="hidden" name="N00150003" value="1080" />
      <input type="hidden" name="&#95;cce" value="0x80150002" />
      <input type="hidden" name="&#95;sce" value="&#37;Ssc" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affected Products

Model Name			DWR-113

HW Version	   		Ax

Current FW Version		v. 2.02 and older

New FW Version for this 	Firmware: v. 2.03b02
exploit fix			Release Notes
    
Security patch for your D-Link router

These firmware updates address the security vulnerabilities in affected D-Link
routers. D-Link will update this continually and we strongly recommend all 
users to install the relevant updates.

As there are different hardware revisions on our products, please check this on 
your device before downloading the correct corresponding firmware update. The
hardware revision information can usually be found on the product label on the
underside of the product next to the serial number. Alternatively, they can 
also be found on the device web configuration.

To update the firmware please log-in to the Web-GUI interface of your device, from the menu select Maintanence -> System -> Upgrade Firmware. If you require help please contact your regional D-Link customer care website for options.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU7tEbRLndAQH1ShLAQLa0hAAjl7CSHNWflVoUzbxCQxmVz4d8Lv6HIXo
d/GH3lN4okxjfHdTLQLbMwbjqXG0ZNJKUUntWuxJO5v0FyjVRwUncwNM09rp2Yn1
Um/i2pOC1EgxzutEE6Qatfj91iV4Apb7egy004FpjAAXzDiO3z947aGqGSMvNx9o
h+LO03nWJWEQDQ3NJu7mc8tlvdc4LJTSyEUgUDFWEiwbtILYXwMFT5DeYs8oZNMX
J7HkWyOxZOzLQW4k4tdL0N3ZNUDyd5vg3w+bFfa+lpPAVZdw0RtdCIBFDAJgR2PI
11xReb1IZb4xwLs5FV+j/joKN4cf+bZKdCLdhUpUEe2iDflpGZYDY7Ew35W8GK7W
SLPZAvfoIohYGTtYH14V2DNZ9th+rlDC6VTlv+ZK8k+6apJ3ZyPTXZul6R4SOmNS
yBmMCwIK0YmboZHAksWJ9iZw7Y3dvcjpSv2oxhVflYTds2ue5eLoAuGyIdCOrno4
mrMM0kmfm2UmC78r1i/nnDL523jLm71hmwfEUHsUBGz2Nt4gL75xdvBsyKZ/W7Dz
rHHGVXwqYOb0WvAzT33m2CHjWbjJ61gvRrsjRvS6+QbzXzzWQxVye/DS053/XwcG
qwyHv06KRvaPo2kzIZciCDbL8vpLf6eV/ddC6WcTxyzMxR4YqYHEG04MFKer+G6M
Gt5+1JDr0og=
=u0Yr
-----END PGP SIGNATURE-----