Home Security CISA Warns of Actively Exploited D-Link Router Vulnerabilities

CISA Warns of Actively Exploited D-Link Router Vulnerabilities

by


May 17, 2024NewsroomVulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The list of vulnerabilities is as follows –

  • CVE-2014-100005 – A cross-site request forgery (CSRF) vulnerability impacting D-Link DIR-600 routers that allows an attacker to change router configurations by hijacking an existing administrator session
  • CVE-2021-40655 – An information disclosure vulnerability impacting D-Link DIR-605 routers that allows attackers to obtain a username and password by forging an HTTP POST request to the /getcfg.php page

There are currently no details on how these shortcomings are exploited in the wild, but federal agencies have been urged to apply vendor-provided mitigations by June 6, 2024.

Cybersecurity

It’s worth noting that CVE-2014-100005 affects legacy D-Link products that have reached end-of-life (EoL) status, necessitating that organizations still using them retire and replace the devices.

The development comes as the SSD Secure Disclosure team revealed unpatched security issues in DIR-X4860 routers that could enable remote unauthenticated attackers to access the HNAP port in order to obtain elevated permissions and run commands as root.

“By combining an authentication bypass with command execution the device can be completely compromised,” it said, adding the issues impact routers running firmware version DIRX4860A1_FWV1.04B03.

SSD Secure Disclosure has also made available a proof-of-concept (PoC) exploit, which employs a specially crafted HNAP login request to the router’s management interface to get around authentication protections and achieve code execution by taking advantage of a command injection vulnerability.

D-Link has since acknowledged the issue in a bulletin of its own, stating a fix is “Pending Release / Under Development.” It described the issue as a case of LAN-side unauthenticated command execution flaw.

Ivanti Patches Multiple Flaws in Endpoint Manager Mobile (EPMM)

Cybersecurity researchers have also released a PoC exploit for a new vulnerability in Ivanti EPMM (CVE-2024-22026, CVSS score: 6.7) that could permit an authenticated local user to bypass shell restriction and execute arbitrary commands on the appliance.

Cybersecurity

“This vulnerability allows a local attacker to gain root access to the system by exploiting the software update process with a malicious RPM package from a remote URL,” Redline Cyber Security’s Bryan Smith said.

The problem stems from a case of inadequate validation in the EPMM command-line interface’s installation command, which can fetch an arbitrary RPM package from a user-provided URL without verifying its authenticity.

CVE-2024-22026 impacts all versions of EPMM before 12.1.0.0. Also patched by Ivanti are two other SQL injection flaws (CVE-2023-46806 and CVE-2023-46807, CVSS scores: 6.7) that could allow an authenticated user with appropriate privilege to access or modify data in the underlying database.

While there is no evidence that these flaws have been exploited, users are advised to update to the latest version to mitigate potential threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex