Overview
Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string. This backdoor allows an attacker to bypass password authentication and access the router's administrative web interface. Planex and Alpha Networks devices may also be affected.
Description
CVE-2013-6026: According to security researcher Craig Heffner, the firmware for various D-Link routers contains a backdoor that allows unauthenticated remote users to bypass the routers' password authentication mechanism. A router's internal web server will accept and process any HTTP requests that contain the User-Agent string "xmlset_roodkcableoj28840ybtide" without checking if the connecting host is authenticated.
According to the original vulnerability report, the following Planex routers are likely affected:
It appears that Alpha Networks may be the OEM for routers branded by D-Link and Planex (and probably other vendors). It is not clear where in the supply chain the backdoor was added, so routers from any of these vendors may be affected. CVE-2013-6027: A separate stack overflow vulnerability in the management web server has also been reported. |
Impact
An unauthenticated remote attacker can take any action as an administrator using the remote management web server. |
Solution
D-Link is maintaining a page to inform users of this issue and provide updates as patches are released. |
Restrict Access |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 8.3 | AV:A/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 7.5 | E:F/RL:W/RC:C |
| Environmental | 5.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Craig Heffner of /DEV/TTYS0 for reporting this vulnerability.
This document was written by Todd Lewellen.
Other Information
| CVE IDs: | CVE-2013-6026, CVE-2013-6027 |
| Date Public: | 2013-10-12 |
| Date First Published: | 2013-10-17 |
| Date Last Updated: | 2014-07-29 23:29 UTC |
| Document Revision: | 34 |