D-Link developers have eliminated several vulnerabilities by releasing new firmware for the DIR-3040 AC3000 router. Thanks to these bugs, attackers could execute arbitrary code, gain access to confidential information, or disable a device through a denial of service.
The vulnerabilities were discovered by Cisco Talos experts, and among them are hard-coded credentials, command injection issues and information disclosure:
- CVE-2021-21816: Syslog Disclosure
- CVE-2021-21817: Zebra IP Routing Manager Information Disclosure
- CVE-2021-21818: Zebra IP Routing Manager hardcoded password
- CVE-2021-21819: Libcli Command Injection
- CVE-2021-21820: Hardcoded password in Libcli Test Environment.
Vulnerabilities CVE-2021-21818 and CVE-2021-21820 are hard-coded credentials found in Zebra IP Routing Manager and Libcli Test Environment. Both issues allow you to bypass the authentication process (through specially crafted network requests). This will ultimately lead to either a denial of service or arbitrary code execution on the target router.
Another critical vulnerability, CVE-2021-21819 , is related to command injection and was found as part of the Libcli Test Environment. This problem can also be used to execute arbitrary code. In addition, the issue allows the hidden telnet service to start without authentication by simply visiting https: /// start_telnet and log in to the Libcli Test Environment using the default password stored on the router unencrypted.
On July 15, 2021, the D-Link developers fixed these problems by releasing a hotfix for firmware 1.13B03 and below.