We close the vulnerability in the Wi-Fi controllers from D-Link
A couple of months ago I discovered the following, in my opinion, extremely unpleasant vulnerability in the D-Link DWC-1000 and DWC-2000 controllers.
If you don’t change the Guest password on the DWC from within the network (whether guest or admin), then you can connect to SSH The default guest entry is guest. Yes, that's right - through the disabled Guest account. It seems that nothing terrible should happen - let the attacker look at the settings, all passwords are encrypted in the view mode. But here is the second unpleasant moment - under this guest record you can download a backup copy of the config file and there are admin passwords in the clear view.
I reported about this vulnerability in D-Link (by the way, unlike other vendors, the site does not have a security contact button and had to search for responsible employees via LinkedIn), and after 2 months I received an answer confirming the vulnerability and the imminent release of updates. Correspondence below.
Query: for DWC-2000, firmware v4.7.0.3, with SSH (by default) Attach device using username “guest” and “guest” (yes, it is disabled for Web, but works for SSH). After this, you can use the commands utilization -> backup configuration file -> ip of the TFTP server.
Answer:(Guest account vulnerability by SSH SPR # 63945) will be part of upcoming releases:
DWC-1000 / C1: v471X, mid-Sept-2018
DWC-2000: v471X, mid-Oct-2018 I
recommend to owners of DWC- 1000 and DWC-2000 change the guest passwords, check the absence of bookmarks and install firmware updates after the exit.
If you don’t change the Guest password on the DWC from within the network (whether guest or admin), then you can connect to SSH The default guest entry is guest. Yes, that's right - through the disabled Guest account. It seems that nothing terrible should happen - let the attacker look at the settings, all passwords are encrypted in the view mode. But here is the second unpleasant moment - under this guest record you can download a backup copy of the config file and there are admin passwords in the clear view.
I reported about this vulnerability in D-Link (by the way, unlike other vendors, the site does not have a security contact button and had to search for responsible employees via LinkedIn), and after 2 months I received an answer confirming the vulnerability and the imminent release of updates. Correspondence below.
Query: for DWC-2000, firmware v4.7.0.3, with SSH (by default) Attach device using username “guest” and “guest” (yes, it is disabled for Web, but works for SSH). After this, you can use the commands utilization -> backup configuration file -> ip of the TFTP server.
Answer:(Guest account vulnerability by SSH SPR # 63945) will be part of upcoming releases:
DWC-1000 / C1: v471X, mid-Sept-2018
DWC-2000: v471X, mid-Oct-2018 I
recommend to owners of DWC- 1000 and DWC-2000 change the guest passwords, check the absence of bookmarks and install firmware updates after the exit.