D-Link is warning that four remote code execution (RCE) flaws impacting all hardware and firmware versions of its DIR-846W router will not be fixed as the products are no longer supported.
The four RCE flaws, three of which are rated critical and do not require authentication, were discovered by security researcher yali-1002, who released minimal details in their GitHub repository.
The researcher published the information on August 27, 2024, but has withheld the publication of proof-of-concept (PoC) exploits for now.
The flaws are summarized as follows:
- CVE-2024-41622: Remote Command Execution (RCE) vulnerability via the tomography_ping_address parameter in the /HNAP1/ interface. (CVSS v3 score: 9.8 “critical”)
- CVE-2024-44340: RCE vulnerability via the smartqos_express_devices and smartqos_normal_devices parameters in SetSmartQoSSettings (authenticated access requirement reduces the CVSS v3 score to 8.8 “high”).
- CVE-2024-44341: RCE vulnerability via the lan(0)_dhcps_staticlist parameter, exploitable through a crafted POST request. (CVSS v3 score: 9.8 “critical”)
- CVE-2024-44342: RCE vulnerability via the wl(0).(0)_ssid parameter. (CVSS v3 score: 9.8 “critical”)
Though D-Link acknowledged the security problems and their severity, it noted that they fall under its standard end-of-life/end-of-support policies, meaning there will be no security updates to address them.
“As a general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease,” reads D-Link’s announcement.
“D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it,” adds the vendor further down in the bulletin.
It is noted that DIR-846W routers were sold primarily outside the U.S., so the impact of the flaws should be minimal in the States, yet still significant globally. The model is still sold in some markets, including Latin America.
Though DIR-846 reached the end of support in 2020, over four years ago, many people only replace their routers once they face hardware problems or practical limitations, so a lot of people could still use the devices.
D-Link recommends that people still using the DIR-846 retire it immediately and replace it with a currently supported model.
If that is impossible, the hardware vendor recommends that users ensure the device runs the latest firmware, use strong passwords for the web admin portal, and enable WiFi encryption.
D-Link vulnerabilities are commonly exploited by malware botnets, such as Mirai and Moobot, to recruit devices into DDoS swarms. Threat actors have also recently exploited a D-Link DIR-859 router flaw to steal passwords and breach devices.
Therefore, securing the routers before proof-of-concept exploits are released and abused in attacks is vital.
