Security researchers have discovered some various unpatched security flaws in the D Link DWR-932B LTE router which include the backdoor accounts and the default Wifi Protected Setup (WPS) PIN.
The device has been up for sale in numerous countries and it looks like customers security will be compromised because of the numerous security problems. The flaws were disclosed by Pierre Kim, and he said that he had decided to show only the most significant of them, and he also noted that the problem was also prevalent even in the latest firmware version being released by the company.
Kim also revealed some unlatched vulnerabilities earlier this year which affected the LTE QDH routers which are made by Quanta, which also included the backdoors, the hardcoded PIN, the flaws which were also in the web interface, the remote code execution issue and various other bugs. The vulnerabilities which affect the D Link router are also similar to those that were seen on the Quanta device.
The researcher has also discovered some two backdoor accounts on the devices which and he said that they can also bypass the HTTP authentication which was used to manage the router. There is also an admin account which has a password ‘admin and also has another root account which has the password 1234. Default-wise, the telnetd and SShd have also been running on the D Link DWR-932B, but the latter has not been documented yet, according to the research.
There is also another backdoor which is in the :bin/appmgr program. This backdoor gives the attacker a chance to send the specific strings which are used in the UDP to the router and to start the authentication less telnet server. The issue is also given a router which listens to the 0.0.0.0:39889 (UDP) for the commands and it also gives access without the authentication as if the root ‘HELODBG’ and is received as the command.
D Link was informed of the issues back in June, but then the company then failed to resolve them until only now. The 90 day grace period which is passed when the vulnerabilities are disclosed to a vendor, Kim then decided to disclose the bugs in a published advisory.
This is not the first time that the D-Link products have also made it to the headlines in the previous times due to the security vulnerabilities. The company has also patched another critical flaw in the several DIR model routers back in August, and after a popular D-Link Wifi camera which was discovered in June and it had been affected in 120 D-Link products.