iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Networking company D-Link recommends software upgrades after high-severity flaws reported by Aussie company Tesserent.
Networking and telecoms firm D-Link is urging customers to upgrade their installations of its free network management tool Nuclias Connect after security researchers discovered multiple vulnerabilities.
Researchers at Australian cyber security firm Tesserent’s Argentina office reported the flaws to D-Link in April, and earlier this month, D-Link addressed the vulnerabilities with updates to the Windows and Linux versions of the software.
“The most critical vulnerabilities stem from inadequate access controls, where a user with the lowest privileges can manipulate private information to gain control over the root admin account,” Tesserent’s researchers reported on 28 April.
“Once the root admin account is compromised, our investigation also uncovered a path traversal vulnerability, which permits users with administrative rights to access sensitive server files. Additionally, issues such as XSS and the insecure practice of storing tokens in local storage could lead to unauthorised access to other user accounts, including that of the root administrator.”
The vulnerabilities impact v1.2.1.5 and below of both the Windows and Linux versions of the software.
Of the four distinct vulnerabilities, two have a CVSS 3.1 score of high (that is, between seven and 10 out of a possible top score of 10 ), while one is rated medium, with the fourth vulnerability rated at low severity.
On 3 June, D-Link posted a security announcement on its support website recommending its customers upgrade Nuclias Connect to the latest version – either v1.2.1.5b1 for Windows or v1.2.1.5b1 for Linux.
“Installing software updates is critical in addressing security vulnerabilities in your D-Link devices,” D-Link said in its advisory.
“D-Link strongly urges all users to install the relevant updates and regularly check for further updates.”
D-Link did note, however, that “beta software, beta firmware, or a hot-fix release is still undergoing rigorous testing before its official release”.
“This ensures that the software is of the highest quality and meets our stringent standards. However, it is essential to understand that the user assumes all risk and liability for its use.”
When asked to confirm if the current version is in fact a beta release, a D-Link spokesperson responded with the following comment.
"Regarding the Nuclias Connect vulnerability incident, to ensure our customers were protected as early as possible after receiving notification of the vulnerability in early May we promptly began remediation efforts," the spokesperson said.
"The patched software version was made available on May 31st, with an official announcement issued on June 3rd. Moving forward, Nuclias Connect v1.3.0 is scheduled for an official release during Q3."
Silas Barnes, senior partner for offensive security services at Tesserent, said that vulnerability research is essential to keeping its clients safe.
“Ethical disclosure of vulnerabilities is crucial to combating and disrupting threat actor activity,” Barnes told Cyber Daily via email.
“Tesserent takes its responsibility to the broader cyber security community seriously and continues to work with vendors, law enforcement and government agencies to help combat malicious activity and protect organisations from cyber attacks.”
UPDATED 26/06/24 to add further D-Link commentary.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
