October 14th, 2013, 21:18 PM
D-Link to padlock router backdoor by Halloween
D-Link will address by the end of October a security issue in some of its routers that could allow attackers to change the device settings without requiring a username and password.
The issue consists of a backdoor-type function built into the firmware of some D-Link routers that can be used to bypass the normal authentication procedure on their Web-based user interfaces.
Craig Heffner, a vulnerability researcher with Tactical Network Solutions, discovered and publicly reported the issue.
“If your browser’s user agent string is ‘xmlset_roodkcableoj28840ybtide’ (no quotes), you can access the web interface without any authentication and view/change the device settings,” he wrote Saturday in a blog post.
When read in reverse, the last part of this hard-coded value is “edit by 04882 joel backdoor.”
D-Link will release firmware updates to address the vulnerability in affected routers by the end of October, the networking equipment manufacturer said via email.
The updates will be listed on a security page on the D-Link website and in the download section of the support page for each affected product.
The company did not clarify why the backdoor was placed in the firmware in the first place or what router models are affected.