D-Link has issued a firmware hotfix to address multiple vulnerabilities in the DIR-3040 AC3000-based wireless internet router.
Following successful exploitation, they can let attackers execute arbitrary code on unpatched routers, gain access to sensitive information or crash the routers after triggering a denial of service state.
The DIR-3040 security flaws discovered and reported by Cisco Talos security researcher Dave McDaniel include hardcoded passwords, command injection, and information disclosure bugs.
Authentication bypass via specially crafted requests
The CVE-2021-21818 and CVE-2021-21820 hard-coded password and credentials vulnerabilities [1, 2] exist in the router’s Zebra IP Routing Manager and the Libcli Test Environment functionality.
Both of them allow threat actors targeting vulnerable D-Link DIR-3040 routers to bypass the authentication process configured by the software administrator.
Attackers can trigger them by sending a sequence of specially crafted network requests that lead either to denial of service and code execution on the targeted router, respectively.
CVE-2021-21819, a critical OS command injection vulnerability found in the router’s Libcli Test Environment functionality, can also be abused by adversaries for code execution.
Additionally, it makes it possible to start a “hidden telnet service can be started without authentication by visiting https:///start_telnet” and log into the Libcli test environment using a default password stored in unencrypted form on the router.
Vulnerabilities addressed in firmware hotfix
D-Link has resolved the bugs found in firmware version 1.13B03 and has issued a firmware hotfix for all affected customers on July 15, 2021, available for download here.
The complete list of vulnerabilities addressed by D-Link with these hotfix includes:
- CVE-2021-21816 – Syslog information disclosure vulnerability
- CVE-2021-21817 – Zebra IP Routing Manager information disclosure vulnerability
- CVE-2021-21818 – Zebra IP Routing Manager hard-coded password vulnerability
- CVE-2021-21819 – Libcli command injection vulnerability
- CVE-2021-21820 – Libcli Test Environment hard-coded password vulnerability
D-Link says that the firmware hotfix released to address the bugs found by Cisco Talos is “a device beta software, beta firmware, or hot-fix release which is still undergoing final testing before its official release.”
The table below lists the vulnerable router models and links to the updated firmware version containing the fix.
| Model | Hardware Revision | Affected FW | Fixed FW | Recommendation | Last Updated |
| DIR-3040 | All Ax Hardware Revisions | v1.13B03 & Below | v1.13B03 Hotfix | 1) Please Download Patch and Update Device
2) Full QA Firmware under test for automatic F/W update notification on D-Link Wifi mobile App |
06/09/2021 |
D-Link has patched other severe vulnerabilities in multiple router models in the past, including remote command injection bugs enabling attackers to take complete control of vulnerable devices.
Previously, the company fixed five critical vulnerabilities impacting some of its routers that made it possible for threat actors to steal admin credentials, bypass authentication, and execute arbitrary code in reflected Cross-Site Scripting (XSS) attacks.