Overview
CVE-2018-18907 refers to an authentication vulnerability with D-Link DIR-850L routers that allows clients to communicate with the router without completing the full WPA handshake. Successful exploitation of this vulnerability allows an attacker to join the router’s network without the required credentials and mount further attacks against users of the network. D-Link DIR-850L routers with hardware revision A and firmware version 1.21B06 Beta and older are vulnerable to CVE-2018-18907. On Nov. 6, 2018, D-Link issued their official disclosure.
Impact
This vulnerability allows a user that has not authenticated to join the wireless network provided by the router. Once joined to that network, the user would have access to all services, computers, and devices available to any other user on that network. Unauthorized access to a network is often the first step in a broader attack.
Technical details
Following client and AP negotiation phases, it is possible to skip the four-way WPA handshake used to establish encryption parameters and validate ownership of the AP’s pre-shared key, and proceed directly to unencrypted communications.
Patch location
D-Link published firmware version 1.21B07_i9d9_WW, updated on Nov. 6, 2018, which patches CVE-2018-18907. The DIR-850L routers were released with two hardware versions, A and B. Only the A hardware is affected by this disclosure. Users can verify their hardware version by looking at the product label on their router for the “H/W ver:” string. Affected users should update their D-Link DIR-850L routers to the latest firmware version available herecovered by these release notes.
Remediation
Users should update their D-Link DIR-850L routers to the latest firmware version available here. According to D-Link, if you are currently running firmware version 1.14 or lower, you must update your router to firmware versions 1.15B04 and 1.20B03 first before applying the security patch.
Product description
The D-Link DIR-850L AC1200 Wi-Fi Router is a consumer-grade wireless router used to provide access to the internet or a private home network. More information about the device is available at the vendor’s website. The DIR-850L was initially released in early 2013 and is designed for the consumer market. It is available in two hardware revisions, with only the A version being affected by this disclosure.
Discovery credit
Tuomo Untinen, a Synopsys engineer based in Oulu, Finland, discovered this vulnerability during development of additional Defensics SafeGuard checks.
Timeline
- Aug. 6, 2018: Synopsys discovers the issue.
- Aug. 7, 2018: The Synopsys research team contacts D-Link.
- Aug. 20, 2018: Synopsys contacts the National Cyber Security Centre Finland (NCSC-FI), part of the Finnish Communications Regulatory Authority.
- Sept. 20, 2018: Synopsys tests a vendor patch and confirms issue resolution to NCSC-FI.
- Nov. 6, 2018: D-Link publishes the firmware patch.
- Nov. 7, 2018: NCSC-FI publishes an advisory.
- Nov. 15, 2018: CyRC publishes this advisory.