Unauthenticated Remote DNS Change Vulnerability (DNSChanger): DSL‑2740R (fixed) and non‑European DSL routers

08 dubna, 2019

Overview

 

The following was originally posted by D-Link in Dec. 2016. This announcement has been updated for the latest information published on April 4, 2019 regarding DNSChanger Malware.

 

Tom’s Guide article published a report in Dec. 2016 discussing “a new malvertising campaign attacking at least 166 models from multiple manufacturers.” 

 

There's evidence that the malware targets 166 distinct router models, but only a handful can be identified. In the original report D-Link DSL-2740R was identified and a patch were offered.

 

D-Link has been made aware of a new post by a 3rd party expanding the scope and additionally accusing D-Link DSL-2640B, D-Link DSL-2780B,  and D-Link DSL-526B routers which are not sold in Europe with the accused firmware versions.

 

 

Accreditation and Coordination

 

(12/2016) : http://www.tomsguide.com/us/malvertising-router-attack,news-24034.html

 

Additional internet news posts from 2016 includes:

 

(04/04/2018) :https://badpackets.net/ongoing-dns-hijacking-campaign-targeting-consumer-routers/

badpackets.net/author/badpackets/

 

Exploit-DB:

DSL-2640B / Hardware Rev. T1 / Firmware GE_1.07 / Non-US : Link

DSL-2740R / Hardware Rev. Ax  / Firmware EU_1.15 / Non-US : Link

DSL-2780B / Hardware Rev. Ax / Firmware DLINK_1.01.14 / Non-US : Link

DSL-526B / Hardware Rev. Bx / Firmware AU_2.01 / Non-US : Link

 

Additional internet news posts from 2019 includes:

https://www.zdnet.com/article/hacker-group-has-been-hijacking-dns-traffic-on-d-link-routers-for-three-months/
https://arstechnica.com/information-technology/2019/04/ongoing-dns-hijackings-target-unpatched-consumer-routers/
https://threatpost.com/hackers-abuse-google-cloud-platform-to-attack-d-link-routers/143492/
https://www.forbes.com/sites/kateoflahertyuk/2019/04/05/hackers-are-targeting-d-link-home-routers-heres-how-to-secure-yours/#10e7e41b2cb0

 

 

Affected Product Models and Patches:

 

DSL-2740R, which was available in Europe, was patched accordingly when it was identified to be vulnerable in 2015. The newly accused products are deployed with firmware that is not offered in Europe.  In addition, some of these models are deployed directly from carriers with certified and unique configurations.

 

If you have received your device from your carrier please contact them directly for patches. It is recommended to contact your regional D-Link Customer Care for specific fixes.  Using firmware that is not intended for your region or carrier is at your own risk and may disable the device.

  

Model Hardware Revision Region Affected FW Fixed FW Last Updated
DSL-526B All Revision B Australia AU v2.01 and older (lower) Under Investigation

05/04/2019

DSL-2640B All Revision T Malaysia GE v1.07 and older (lower) Under Investigation

05/04/2019

DSL-2740R All Revision A Europe EU v1.15 and older (lower) 1.17

01/2015

DSL-2780B All Revision A AU/NZ v1.01.14 and older (lower) Under Investigation 05/04/2019

 

 

Options for D-Link Routers and Gateways that are no longer supported or are under investigation :

  

     1. Contact your DSL Service Provider or Regional D-Link Customer Care for latest information and patches.

     2. Factory-Reset the device through its web-configuration interface at http://192.168.0.1, set a new unique password, and complete setup for your DSL carrier.

     3. Modify the device through its web-configuration interface at http://192.168.0.1, and manually set Domain Name Server (DNS) values (instructions can be found in the devices User Manuals Here):

  

          - Google DNS : 8.8.8.8 or 8.8.4.4

          - Cloudflare DNS: 1.1.1.1

 

 

Regarding Security patch for your D-Link Devices

 

Firmware updates address the security vulnerabilities of affected D-Link devices. D-Link will update this, when applicable, and we strongly recommend all users install the relevant updates.

 

As there are different hardware revisions of our products, please check your device before downloading the  corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, it can also be found on the device web configuration.