Threat Research

FortiGuard Labs Discovers Vulnerability in D-Link Router DIR868L

By Tony Loi | March 30, 2018

In August of 2017, FortiGuard Labs discovered a pre-authenticated remote code execution vulnerability on D-Link router DIR868L. This vulnerability is specific to a local ISP’s customized firmware.

This vulnerability, designated as FG-VD-17-214, is an unauthenticated buffer overflow that occurs when the affected router parses authentication requests. This vulnerability is rated as “Critical” because it can be exploited without user interaction, meaning it could easily be weaponized by cybercriminals. Upon successful exploitation, an attacker could then run arbitrary code under the privilege of a web service.

About the Vulnerability

The CGIBIN’s URI /authentication.cgi that handles authentication didn’t sanitize the input properly. As a result, a maliciously crafted HTTP request can cause a buffer overflow and lead to remote code execution.

Affected models: DIR868L

Affected firmware: v1.09SHC

Fixed firmware: v1.21SHCb03

Due to the severity and ease of exploitation of this vulnerability, FortiGuard Labs has followed a responsible disclosure protocol, which includes only releasing a partial disclosure as a warning for our customers, but which does not include code samples or a detailed description of the exploit.

We have recently observed that more than one hundred devices reachable via the internet are still using the old firmware, and are affected by this vulnerability. If you own any of the affected models, please go to http://www.dlink.com.sg/dir-868l/#firmware to update your device to the latest version as soon as possible. 

Disclosure Timeline

  • Aug 25 2017 – FortiGuard Labs contacted D-Link SG, IMDA by email about the vulnerability.
  • Oct 13 2017 – D-Link replied that its firmware was not affected. We responded by sending another poc.
  • Nov 23 2017 – D-Link confirmed the vulnerability.
  • Dec 20 2017 – D-Link sent us the patch and the advisory to verify.
  • Mar 13 2018 – FortiGuard Labs requested an update on the disclosure timeline.
  • Mar 14 2018 – D-Link SG released the patch.

Fortinet Customers Protected

When this vulnerability was initially discovered, Fortinet immediately released IPS signature Dlink.DIR800.URI.Buffer.Overflow to proactively protect our customers.

We would like to thank the D-Link SG Team, IMDA-ISG-CERT, SingCERT, and Cyber Security Agency for their cooperation in fixing this vulnerability.

-= FortiGuard Lion Team =-

Sign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.

Join the Discussion