D-Link, Comba network gear leave passwords open for potentially whole world to see

DSL modems and Wi-Fi routers from D-Link and Comba have been found to be leaving owners’ passwords out in the open.

Simon Kenin, a security researcher with Trustwave SpiderLabs, took credit for the discovery of five bugs that leave user credentials accessible to attackers.

For D-Link gear, two bugs were discovered in the firmware for the DSL-2875AL and DSL-2877AL wireless ADSL modem/router. The first bug describes a configuration file in the DSL-2875AL that contains the user password, and does not require any authentication to view: you just have to be able to reach the web-based admin console, either on the local network or across the internet, depending the device’s configuration.

“This file is available to anyone with access to the web-based management IP address and does not require any authentication,” Trustwave’s Karl Sigler said on Tuesday. “The path to the file is https://[router ip address]/romfile.cfg and the password is stored in clear text there.”

The second flaw is present in both the 2857AL and 2877AL models. It is less a “flaw” than a glaring security oversight: the source code for the router log-in page (again, accessible to anyone that can reach its built-in web UI server) contains the ISP username and password of the user in plain text. This can be pulled up simply by choosing the “view source” option in a browser window.

Fixes have been released for both models. Those with the 2877AL modem will want to get Firmware 1.00.20AU 20180327, while owners of the 2875AL should update to at least version 1.00.08AU 20161011.

The Register tried to get in touch with D-Link for comment on the matter, but was unable to get a response. Trustwave didn’t fare much better, saying that the bugs were only listed as patched after the researchers told D-Link they were going public with the findings, after waiting months for the router biz to get its act together.

Source: D-Link, Comba network gear leave passwords open for potentially whole world to see • The Register