A critical memory buffer overflow vulnerability has recently been discovered in several wired and wireless router products from D-Link.
In a warning bulletin issued yesterday (July 18), eEye Digital Security confirmed that hackers could exploit this vulnerability to execute binary code or take full control of the entire network system.
eEye has been alerting D-Link about this vulnerability since February of this year.
 |
D-Link’s wireless router products. |
The spokesperson for D-Link confirmed that the aforementioned security vulnerability arises in the Local Area Network (LAN) control interface of some D-Link router products, and stated that a fix has already been released. Users can download it through the company’s website.
Mike Puterbaugh, Vice President of Product Marketing at eEye, indicated that the newly discovered vulnerability in D-Link products is quite serious, as these devices are widely used in small businesses and home networks. Consequently, this vulnerability could lead to significant damage.
eEye rates this security flaw at a high severity level. Meanwhile, Secunia classifies it as medium severity, while Symantec rates it the lowest – at 10/10.
Hackers can exploit this vulnerability by sending a long M-search string to the affected device to trigger a buffer overflow. The M-search commands are sent to the device to connect to Universal Plug and Play (UPnP) networks to search for devices on those networks. If successful, the attacker could execute binary code or gain control of the entire network system.
However, the attacker can only succeed if they find a user with administrative access to control the wireless network settings. At that point, they could also manipulate the router to reboot or carry out denial-of-service attacks, the D-Link spokesperson stated.
D-Link advises users to update their firmware as soon as possible.
Hoàng Dũng
