Vulnerability impacts 400,000 D-Link devices

By on
Vulnerability impacts 400,000 D-Link devices

A web camera's code vulnerability discovered by researchers last month was reused across the D-Link's product lines, affecting more than 120 products and 400,000 individual devices.

The pre-authentication flaw, discovered by Senrio security researchers, was initially found in the D-Link DCS-930L, a wireless IP surveillance camera that is controlled remotely. The stack overflow vulnerability allows for remote code execution of the device.

The researchers discovered that the software component appeared across the company's product lines, although it initially appeared that some of the products did not utilise the software component in the default settings.

However, this estimation unfortunately proved to be overoptimistic.

D-Link conducted its own analysis of the company's network routers, IoT devices, and home security devices and informed Senrio that more than 120 devices are affected.

“It constitutes a fairly sizable portion of their product line,” said Stephen A. Ridley, CTO and founder at Senrio.

The Taiwanese vendor has not yet released a patch for the flaw.

In January, Vectra Networks hacked D-Link's consumer-grade wi-fi webcam and used the camera to create a persistent access point into corporate networks.

“While the thought of strangers watching your sleeping baby is disturbing, the implications for enterprise and infrastructure environments are downright scary,” the Senrio blog post noted in June.

Manufacturers often opt to reuse firmware code across products to create cost savings and cut development time. However, code reuse can make it easier for attackers to exploit a small firmware component to launch attacks against multiple products.

The problem is especially dangerous in medical device and industrial control components, according to Ridley.

“Code reuse is vulnerability reuse,” he said.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Poll

Does the government do enough to procure from local IT providers?
Yes
No
View poll archive

Log In

Username / Email:
Password:
  |  Forgot your password?