Researchers at Senrio have released technical details surrounding a vulnerability in D-Link products, which if exploited, would allow a remote attacker full access to the devices. After being notified earlier this year, D-Link has promised to deliver fixes.
In June, Senrio briefly described the issue on their company blog, and while they used their own custom tools, an attacker could replicate their work in order to target a vulnerable product.
"The vulnerability allows code injection which lets the attacker set a custom password, granting remote access to the camera feed. Thus, even if users create a strong password, this type of exploit can override it. Instead of setting a new password as the exploit, an attacker could just as easily add a new user with administrator access, download firmware or otherwise re-configure this device," June's post explained.
Senrio discovered the flaw in a D-Link DCS-930L Cloud Camera, however, because the firmware is used across multiple product lines, D-Link estimates this vulnerability affects "more than 120 models across Connected Home Products, including cameras, routers, access points, modems, and storage..."
According to Shodan.io, there are 414,949 publicly accessible devices impacted by this vulnerability. Searchers for DCS-930L alone return 55,000 results.
D-Link is expected to post a schedule for fixes on support.dlink.com and mydlink.com/support.
However, the device manufacturer says they will prioritize releases based on active products. As such, the older D-Link models will need to be pulled from the Internet altogether, or the owners of said devices will need to accept the risk.