D-Link issued fixes on Monday for flaws that could hackers to access your router remotely. One of the routers have already been fixed but the other models will also be patched in the coming week.
the vulnerabilities were found by Peter Adkins who is a systems engineer in Canada. He said he altered the company to the issues in early January. He later decided to publicize them last week after he fell out of contact with D-Link.
D-Link acknowledged Adkins’ findings in its advisory which includes three new firmware version for its DIR-820L router. The company expects to release more firmware updates in the coming week for the DIR-626L, DIR-636L, DIR-808L, DIR-810L, DIR-26L, DIR-830L and DIR-836L routers.
One of the most serious flaws Peter Adkins found, is a cross-site request forgery vulnerability. It is a service that runs on the DIR-820L and it handles dynamic requests such as updating usernames and passwords. These can be accessed if a victim is lured onto a malicious webpage, according to his writeup.
The attacker would then gain full control over a router. This will enable the attacker to change its DNS settings or even launch a telnet service, among other things.
Adkins also found other problems. One of them could allow unauthenticated access to the router if remote management is enabled. Another flaw allowed him to upload a file that would overwrite the router’s DNS settings.
D-Link said that some of these attacks can be blocked by disabling a remote management feature that can provide access to a router’s settings. The company claims that the capability is turned off by default.