Introduction

A shocking revelation has surfaced regarding tens of thousands of D-Link modems that have reached the end of their life cycle. These devices, including the D-Link DSL6740C model, are exposed to a severe vulnerability that could allow unauthenticated attackers to reset passwords and seize total control of the devices from anywhere in the world.

Discovery of the Vulnerability

The cybersecurity threat was uncovered by security researcher Chaio-Lin Yu, also known as Steven Meow. After detecting the flaw, Yu promptly reported it to Taiwan’s Computer Emergency Response Team (TWCERTCC). Alarmingly, this particular modem model is not available in the U.S. market, and has officially been designated as obsolete since the start of the year.

D-Link's Response

In a recent advisory, D-Link has made a troubling announcement: the company will not address this critical issue. Their recommendation? Users should 'retire and replace D-Link devices that have reached end-of-life (EOL) or end-of-service (EOS).'

Details of the Vulnerabilities

The specific vulnerabilities were detailed as follows:

CVE-2024-11068

This issue permits unauthenticated attackers to change any user's password via privileged API access. This flaw has been assigned a critical CVSS v3 score of 9.8.

CVE-2024-11067

A path traversal weakness allows unauthenticated attackers to read arbitrary system files, discover the device's MAC address, and attempt to log in using default credentials. It holds a high CVSS v3 score of 7.5.

CVE-2024-11066

This bug allows attackers with admin access to execute arbitrary commands on the host operating system through a dedicated web page. It has a CVSS v3 score of 7.2.

Prevalence of the Vulnerability

A recent search using the FOFA search engine has revealed that nearly 60,000 D-Link DSL6740C modems are currently accessible over the internet, predominantly in Taiwan. This number raises alarm bells, especially since D-Link has previously made it clear that devices classified as end-of-life (EoL) would not receive any updates or patches, regardless of how critical the vulnerabilities may be.

Additional Vulnerabilities

Adding to the dire situation, TWCERTCC identified four additional high-severity OS command injection vulnerabilities affecting the same D-Link device, labeled as CVE-2024-11062, CVE-2024-11063, CVE-2024-11064, and CVE-2024-11065.

Recommended Actions for Users

For current users of the affected D-Link modems, it is imperative to take action. If replacing the modem with a supported alternative is not feasible, users should at least ensure that remote access is restricted and secure passwords are in place to enhance safety.

Conclusion

As the digital landscape becomes increasingly fraught with security issues, the importance of maintaining updated devices cannot be overstated. This incident is a stark reminder that consumer technology products have a lifespan, and neglecting to upgrade can lead to significant risks. Are your devices at risk?