D-Link is urging customers to replace its now obsolete line of DIR-865L Wireless Routers in reaction to a recently discovered critical command-injection bug that leaves users open to a denial-of-service attack.
The routers, first introduced in 2013, reached end-of-life support in Feb. 2016. In Aug. 2018, D-Link released a patch (1.20B01 beta) to address multiple security bugs. On Friday, Palo Alto Networks’ Unit 42 researchers publicly disclosed six additional bugs – one rated critical and five rated high severity.
“The vulnerabilities were found in the DIR-865L model of D-Link routers, which are meant for home network use,” [researchers wrote](<https://unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-home-routers/>). “The current trend towards working from home increases the likelihood of malicious attacks against home networks, which makes it even more imperative to keeping our networking devices updated.”
[](<https://threatpost.com/newsletter-sign/>)
D-Link also notified customers of what it classified as “alleged” flaws found by the Unit 42 team. “The product has reached End of Life/End of Support (EOS), and there is no more extended support or development for them,” [it wrote](<https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10174>). Nevertheless, the company did release a “beta” patch (v1.20B01Beta01) on May 26, 2020.
“Owners of the DIR-865L who use this product beyond EOS, at their own risk, should manually update to the latest firmware. These beta releases are a result of investigating and understanding the report and out complete investigation of the entire family of products that may be affected. Firmware released after EOS is a standard operating procedure,” D-Link’s advisory warns.
According to the advisory, the D-Link patch only fixes three bugs found by Unit 42; the cross-site scripting bug ([CVE-2020-13786](<https://nvd.nist.gov/vuln/detail/CVE-2020-13786>)), inadequate encryption strength ([CVE-2020-13785](<https://nvd.nist.gov/vuln/detail/CVE-2020-13785>)) and one of the cleartext storage of sensitive information flaws ([CVE-2020-13786](<https://nvd.nist.gov/vuln/detail/CVE-2020-13786>)).
The most serious of the bugs is the critical command-injection ([CVE-2020-13782](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13782>)) vulnerability. “The web interface for this router is controlled by the backend engine called cgibin.exe. Most requests for web pages are sent to this controller. If a request for scandir.sgi is made, a malicious actor can inject arbitrary code to be executed on the router with administrative privileges,” researchers wrote.
Those admin privileges can be pilfered via chaining a second high-severity bug ([CVE-2020-13786](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13786>)), found by Unit 42. This second bug, patched by D-Link in May, allows an attacker to steal active session cookie via the admin’s web page, which are vulnerable to a cross-site request forgery attack, researchers said.
D-Link’s DIR-865L Wireless AC 1750 had previously been singled out in research by Independent Security Evaluators at the hacker [convention DEF CON 2014](<https://threatpost.com/def-con-hosting-soho-wireless-router-hacking-contest/107463/>). Researchers lumped the router into a group of 13 popular SOHO Wi-Fi routers open to some sort of local or remote attack.
In lieu of replacing hardware, or the availability of patches for all bugs, Unit 42 researchers recommend configuring routers to “default all traffic to HTTPS to defend against session hijacking attacks” and changing the router’s time zone to defend against malicious actors who are “calculating the randomly generated session id.”
_**FREE Webinar: Are you on top of the shifting insider threats within your business? On **_**[_June 24 at 2 p.m. ET_](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_**, join Threatpost and our panel of experts for a complimentary webinar, **__**“**_**_The Enemy Within: How Insider Threats Are Changing_****_.” _**_**Get exclusive insights on how **_**_remote working has increased the risk of insider threats, and how to gain visibility into employee behavior while striking the right balance between privacy and ease of use. _****_[Please register here](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)_**_** for this webinar.**_
{"id": "THREATPOST:245E26684E2D6D9AC1CC8895F53365E9", "type": "threatpost", "bulletinFamily": "info", "title": "WFH Alert: Critical Bug Found in Old D-Link Router Models", "description": "D-Link is urging customers to replace its now obsolete line of DIR-865L Wireless Routers in reaction to a recently discovered critical command-injection bug that leaves users open to a denial-of-service attack.\n\nThe routers, first introduced in 2013, reached end-of-life support in Feb. 2016. In Aug. 2018, D-Link released a patch (1.20B01 beta) to address multiple security bugs. On Friday, Palo Alto Networks\u2019 Unit 42 researchers publicly disclosed six additional bugs \u2013 one rated critical and five rated high severity.\n\n\u201cThe vulnerabilities were found in the DIR-865L model of D-Link routers, which are meant for home network use,\u201d [researchers wrote](<https://unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-home-routers/>). \u201cThe current trend towards working from home increases the likelihood of malicious attacks against home networks, which makes it even more imperative to keeping our networking devices updated.\u201d \n[](<https://threatpost.com/newsletter-sign/>) \nD-Link also notified customers of what it classified as \u201calleged\u201d flaws found by the Unit 42 team. \u201cThe product has reached End of Life/End of Support (EOS), and there is no more extended support or development for them,\u201d [it wrote](<https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10174>). Nevertheless, the company did release a \u201cbeta\u201d patch (v1.20B01Beta01) on May 26, 2020.\n\n\u201cOwners of the DIR-865L who use this product beyond EOS, at their own risk, should manually update to the latest firmware. These beta releases are a result of investigating and understanding the report and out complete investigation of the entire family of products that may be affected. Firmware released after EOS is a standard operating procedure,\u201d D-Link\u2019s advisory warns.\n\nAccording to the advisory, the D-Link patch only fixes three bugs found by Unit 42; the cross-site scripting bug ([CVE-2020-13786](<https://nvd.nist.gov/vuln/detail/CVE-2020-13786>)), inadequate encryption strength ([CVE-2020-13785](<https://nvd.nist.gov/vuln/detail/CVE-2020-13785>)) and one of the cleartext storage of sensitive information flaws ([CVE-2020-13786](<https://nvd.nist.gov/vuln/detail/CVE-2020-13786>)).\n\nThe most serious of the bugs is the critical command-injection ([CVE-2020-13782](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13782>)) vulnerability. \u201cThe web interface for this router is controlled by the backend engine called cgibin.exe. Most requests for web pages are sent to this controller. If a request for scandir.sgi is made, a malicious actor can inject arbitrary code to be executed on the router with administrative privileges,\u201d researchers wrote.\n\nThose admin privileges can be pilfered via chaining a second high-severity bug ([CVE-2020-13786](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13786>)), found by Unit 42. This second bug, patched by D-Link in May, allows an attacker to steal active session cookie via the admin\u2019s web page, which are vulnerable to a cross-site request forgery attack, researchers said.\n\nD-Link\u2019s DIR-865L Wireless AC 1750 had previously been singled out in research by Independent Security Evaluators at the hacker [convention DEF CON 2014](<https://threatpost.com/def-con-hosting-soho-wireless-router-hacking-contest/107463/>). Researchers lumped the router into a group of 13 popular SOHO Wi-Fi routers open to some sort of local or remote attack.\n\nIn lieu of replacing hardware, or the availability of patches for all bugs, Unit 42 researchers recommend configuring routers to \u201cdefault all traffic to HTTPS to defend against session hijacking attacks\u201d and changing the router\u2019s time zone to defend against malicious actors who are \u201ccalculating the randomly generated session id.\u201d\n\n_**FREE Webinar: Are you on top of the shifting insider threats within your business? On **_**[_June 24 at 2 p.m. ET_](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_**, join Threatpost and our panel of experts for a complimentary webinar, **__**\u201c**_**_The Enemy Within: How Insider Threats Are Changing_****_.\u201d _**_**Get exclusive insights on how **_**_remote working has increased the risk of insider threats, and how to gain visibility into employee behavior while striking the right balance between privacy and ease of use. _****_[Please register here](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)_**_** for this webinar.**_\n", "published": "2020-06-15T19:11:21", "modified": "2020-06-15T19:11:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://threatpost.com/work-from-home-alert-critical-d-link-bug/156573/", "reporter": "Tom Spring", "references": ["https://unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-home-routers/", "https://threatpost.com/newsletter-sign/", "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10174", "https://nvd.nist.gov/vuln/detail/CVE-2020-13786", "https://nvd.nist.gov/vuln/detail/CVE-2020-13785", "https://nvd.nist.gov/vuln/detail/CVE-2020-13786", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13782", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13786", "https://threatpost.com/def-con-hosting-soho-wireless-router-hacking-contest/107463/", "https://attendee.gotowebinar.com/register/3265005683762389007?source=ART", "https://attendee.gotowebinar.com/register/3265005683762389007?source=ART"], "cvelist": ["CVE-2020-13782", "CVE-2020-13785", "CVE-2020-13786"], "lastseen": "2020-06-15T20:06:46", "viewCount": 29, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-13782", "CVE-2020-13785", "CVE-2020-13786"]}, {"type": "threatpost", "idList": ["THREATPOST:04C4BB99525FFA0B20401800AB7DA2A9"]}]}, "score": {"value": -0.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-13782", "CVE-2020-13785", "CVE-2020-13786"]}, {"type": "threatpost", "idList": ["THREATPOST:5D5241707AB76ED799696E37D048872A", "THREATPOST:7876640D5EC3E8FE3FE885606BBB1C6D"]}]}, "exploitation": null, "vulnersScore": -0.5}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659743467}}
{"threatpost": [{"lastseen": "2020-06-15T19:30:08", "bulletinFamily": "info", "cvelist": ["CVE-2020-13782", "CVE-2020-13785", "CVE-2020-13786"], "description": "D-Link is urging customers to replace its now obsolete line of DIR-865L Wireless Routers in reaction to a recently discovered critical command-injection bug that leaves users open to a denial-of-service attack.\n\nThe routers, first introduced in 2013, reached end-of-life support in Feb. 2016. In Aug. 2018, D-Link released a patch (1.20B01 beta) to address multiple security bugs. On Friday, Palo Alto Networks\u2019 Unit 42 researchers publicly disclosed six additional bugs \u2013 one rated critical and five rated high severity.\n\n\u201cThe vulnerabilities were found in the DIR-865L model of D-Link routers, which are meant for home network use,\u201d [researchers wrote](<https://unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-home-routers/>). \u201cThe current trend towards working from home increases the likelihood of malicious attacks against home networks, which makes it even more imperative to keeping our networking devices updated.\u201d \n[](<https://threatpost.com/newsletter-sign/>) \nD-Link also notified customers of what it classified as \u201calleged\u201d flaws found by the Unit 42 team. \u201cThe product has reached End of Life/End of Support (EOS), and there is no more extended support or development for them,\u201d [it wrote](<https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10174>). Nevertheless, the company did release a \u201cbeta\u201d patch (v1.20B01Beta01) on May 26, 2020.\n\n\u201cOwners of the DIR-865L who use this product beyond EOS, at their own risk, should manually update to the latest firmware. These beta releases are a result of investigating and understanding the report and out complete investigation of the entire family of products that may be affected. Firmware released after EOS is a standard operating procedure,\u201d D-Link\u2019s advisory warns.\n\nAccording to the advisory, the D-Link patch only fixes three bugs found by Unit 42; the cross-site scripting bug ([CVE-2020-13786](<https://nvd.nist.gov/vuln/detail/CVE-2020-13786>)), inadequate encryption strength ([CVE-2020-13785](<https://nvd.nist.gov/vuln/detail/CVE-2020-13785>)) and one of the cleartext storage of sensitive information flaws ([CVE-2020-13786](<https://nvd.nist.gov/vuln/detail/CVE-2020-13786>)).\n\nThe most serious of the bugs is the critical command-injection ([CVE-2020-13782](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13782>)) vulnerability. \u201cThe web interface for this router is controlled by the backend engine called cgibin.exe. Most requests for web pages are sent to this controller. If a request for scandir.sgi is made, a malicious actor can inject arbitrary code to be executed on the router with administrative privileges,\u201d researchers wrote.\n\nThose admin privileges can be pilfered via chaining a second high-severity bug ([CVE-2020-13786](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13786>)), found by Unit 42. This second bug, patched by D-Link in May, allows an attacker to steal active session cookie via the admin\u2019s web page, which are vulnerable to a cross-site request forgery attack, researchers said.\n\nD-Link\u2019s DIR-865L Wireless AC 1750 had previously been singled out in research by Independent Security Evaluators at the hacker [convention DEF CON 2014](<https://threatpost.com/def-con-hosting-soho-wireless-router-hacking-contest/107463/>). Researchers lumped the router into a group of 13 popular SOHO Wi-Fi routers open to some sort of local or remote attack.\n\nIn lieu of replacing hardware, or the availability of patches for all bugs, Unit 42 researchers recommend configuring routers to \u201cdefault all traffic to HTTPS to defend against session hijacking attacks\u201d and changing the router\u2019s time zone to defend against malicious actors who are \u201ccalculating the randomly generated session id.\u201d\n\n_**FREE Webinar: Are you on top of the shifting insider threats within your business? On **_**[_June 24 at 2 p.m. ET_](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_**, join Threatpost and our panel of experts for a complimentary webinar, **__**\u201c**_**_The Enemy Within: How Insider Threats Are Changing_****_.\u201d _**_**Get exclusive insights on how **_**_remote working has increased the risk of insider threats, and how to gain visibility into employee behavior while striking the right balance between privacy and ease of use. _****_[Please register here](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)_**_** for this webinar.**_\n", "modified": "2020-06-15T19:11:21", "published": "2020-06-15T19:11:21", "id": "THREATPOST:04C4BB99525FFA0B20401800AB7DA2A9", "href": "https://threatpost.com/word-from-home-alert-critical-d-link-bug/156573/", "type": "threatpost", "title": "WFH Alert: Critical Bug Found in Old D-Link Router Models", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-09-02T16:57:59", "description": "D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-03T17:15:00", "type": "cve", "title": "CVE-2020-13786", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13786"], "modified": "2022-09-02T15:41:00", "cpe": ["cpe:/o:dlink:dir-865l_firmware:1.20b01"], "id": "CVE-2020-13786", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13786", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:dlink:dir-865l_firmware:1.20b01:*:*:*:*:*:*:*"]}, {"lastseen": "2022-09-02T16:58:00", "description": "D-Link DIR-865L Ax 1.20B01 Beta devices allow Command Injection.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-03T17:15:00", "type": "cve", "title": "CVE-2020-13782", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13782"], "modified": "2022-09-02T15:41:00", "cpe": ["cpe:/o:dlink:dir-865l_firmware:1.20b01"], "id": "CVE-2020-13782", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13782", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:dlink:dir-865l_firmware:1.20b01:*:*:*:*:*:*:*"]}, {"lastseen": "2022-09-02T16:58:00", "description": "D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-03T17:15:00", "type": "cve", "title": "CVE-2020-13785", "cwe": ["CWE-326"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13785"], "modified": "2022-09-02T15:42:00", "cpe": ["cpe:/o:dlink:dir-865l_firmware:1.20b01"], "id": "CVE-2020-13785", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13785", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:dlink:dir-865l_firmware:1.20b01:*:*:*:*:*:*:*"]}]}