D-Link and Comba routers have multiple vulnerabilities, including storing passwords in plain text
A security researcher has revealed details of a series of vulnerabilities in routers made by D-Link and Comba which make it easy to see usernames and passwords.
Simon Kenin from Trustwave SpiderLabs -- an "elite team of ethical hackers, forensic investigators and researchers" -- found a total of five security flaws which involve the insecure storage of credentials. In some instances, passwords are stored in plain text and can be seen by anyone with network or internet access to the routers in question.
Explaining Kenin's findings in a blog post, SpiderLabs' Karl Sigler says that the D-Link DSL-2875AL dual band wireless AC750 ADSL2+ modem is one of the affected devices. "At least versions 1.00.01 & 1.00.05 are affected and likely others as well as he was unable to test all versions. That router model contains a password disclosure vulnerability in the file romfile.cfg. This file is available to anyone with access to the web-based management IP address and does not require any authentication. The path to the file is https://[router ip address]/romfile.cfg and the password is stored in clear text there".
For the DSL-2875AL and also the DSL-2877AL, Kenin found that the source code of the router login page revealed the username and password associated with the internet connection.
Updates have been issued by D-Link for both devices, but it comes eight months after SpiderLabs alerted the company to the problems. Sigler writes:
D-Link's response to these findings was confusing and unfortunately very typical for organizations that are not set up to accept security problems from third party researchers like Trustwave SpiderLabs. After an initial response confirming receipt and escalation for these findings, they claimed they were unable to escalate the issue with their R&D group within the 90-day window outlined in our Responsible Disclosure policy. We provided them a rather lengthy extension to that window, but they eventually simply stopped responding entirely. However, days before releasing these advisories, D-Link provided information that the issues have been fixed.
A trio of vulnerabilities was also found in a pair of Comba brand routers, specifically the Comba AC2400 Wi-Fi Access Controller and the Comba AP2600-I WiFi Access Point. In the former, an easily reversed MD5 hash of the device password was found stored in a configuration file. In the latter, two vulnerabilities were detected: a double MD5 hashed version of the username and password for the device stored in the source code of the login page, and database being used to store the username and password in plain text.
Owners of the affected Comba devices are out of luck. SpiderLabs says: "there is not much in the way of mitigating the Comba Telcom findings. After reaching out multiple times, Comba Telcom was simply unresponsive".
Check out the full report on the SpiderLabs blog.