The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The list of vulnerabilities is as follows –
- CVE-2014-100005 – A cross-site request forgery (CSRF) vulnerability impacting D-Link DIR-600 routers that allows an attacker to change router configurations by hijacking an existing administrator session
- CVE-2021-40655 – An information disclosure vulnerability impacting D-Link DIR-605 routers that allows attackers to obtain a username and password by forging an HTTP POST request to the /getcfg.php page
There are currently no details on how these shortcomings are exploited in the wild, but federal agencies have been urged to apply vendor-provided mitigations by June 6, 2024.
It’s worth noting that CVE-2014-100005 affects legacy D-Link products that have reached end-of-life (EoL) status, necessitating that organizations still using them retire and replace the devices.
The development comes as the SSD Secure Disclosure team revealed unpatched security issues in DIR-X4860 routers that could enable remote unauthenticated attackers to access the HNAP port in order to obtain elevated permissions and run commands as root.
“By combining an authentication bypass with command execution the device can be completely compromised,” it said, adding the issues impact routers running firmware version DIRX4860A1_FWV1.04B03.
SSD Secure Disclosure has also made available a proof-of-concept (PoC) exploit, which employs a specially crafted HNAP login request to the router’s management interface to get around authentication protections and achieve code execution by taking advantage of a command injection vulnerability.
D-Link has since acknowledged the issue in a bulletin of its own, stating a fix is “Pending Release / Under Development.” It described the vulnerability as a case of LAN-side unauthenticated command execution flaw.
Ivanti Patches Multiple Flaws in Endpoint Manager Mobile (EPMM)
Cybersecurity researchers have also released a PoC exploit for a new vulnerability in Ivanti EPMM (CVE-2024-22026, CVSS score: 6.7) that could permit an authenticated local user to bypass shell restriction and execute arbitrary commands on the appliance.
“This vulnerability allows a local attacker to gain root access to the system by exploiting the software update process with a malicious RPM package from a remote URL,” Redline Cyber Security’s Bryan Smith said.
The problem stems from a case of inadequate validation in the EPMM command-line interface’s installation command, which can fetch an arbitrary RPM package from a user-provided URL without verifying its authenticity.
CVE-2024-22026 impacts all versions of EPMM before 12.1.0.0. Also patched by Ivanti are two other SQL injection flaws in the same product (CVE-2023-46806 and CVE-2023-46807, CVSS scores: 6.7) that could allow an authenticated user with appropriate privilege to access or modify data in the underlying database.
While there is no evidence that these flaws have been exploited, users are advised to update to the latest version to mitigate potential threats.