RCE Vulnerability in D-Link WAP Let Attackers Gain Remote Access

The D-Link DAP-2310 Wireless Access Point (WAP) has been identified as vulnerable to remote code execution (RCE).

Dark Wolf Solutions discovered this vulnerability, which seriously threatens users by allowing attackers to gain unauthorized remote access.

This guide delves into the details of the vulnerability, the affected models, and the recommendations for users.

Understanding the Vulnerability: BouncyPufferfish

Dark Wolf Solutions has named the vulnerability “BouncyPufferfish.” It exploits a stack-based buffer overflow in the D-Link DAP-2310’s ATP binary.

This binary handles PHP HTTP requests for the Apache HTTP Server (httpd) running on the device.

By sending a specially crafted HTTP GET request using a curl command, attackers can trigger the buffer overflow, execute a Return-Oriented Programming (ROP) chain, and ultimately call the system() function to run arbitrary shell commands.

This vulnerability is particularly concerning because it does not require authentication, making it easier for attackers to exploit.

Dark Wolf Solutions’ proof-of-concept highlights the ease with which this vulnerability can be leveraged, posing a significant risk to users who continue to operate these devices.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Affected Models and End-of-Life Status

The D-Link DAP-2310, in all hardware revisions, is affected by this vulnerability. Importantly, this model has reached its End-of-Life (EOL) and End-of-Service Life (EOS) as of November 30, 2021.

This means that D-Link no longer provides support or firmware updates for these devices, leaving them vulnerable to exploitation.

Model	Region	Hardware Revision	End of Support	Last Updated
DAP-2310	Worldwide	All Series	11/30/2021	07/09/2024

Given the EOL/EOS status, users are strongly advised to retire and replace these devices. Using them without support or updates increases the risk of security breaches.

Recommendations for Users

D-Link has issued a clear recommendation for users of the DAP-2310 and other EOL/EOS products: retire and replace these devices. The lack of ongoing support and updates means that any vulnerabilities discovered will remain unpatched, posing a continuous security risk.

For users who choose to continue using these devices despite the risks, D-Link suggests the following precautions:

1. Firmware Updates: Ensure the device runs the most recent version before EOL.
2. Password Security: Regularly update the unique password to access the device’s web configuration.
3. WIFI Encryption: Always enable WIFI encryption with a strong, unique password to protect wireless communications.

These measures can help mitigate some risks, but they are not foolproof. The best action remains to replace these outdated devices with newer, more secure models.

In conclusion, the RCE vulnerability in the D-Link DAP-2310 highlights the importance of keeping network devices up-to-date and replacing them once they reach EOL/EOS.

Users are encouraged to contact their regional D-Link office for recommendations on suitable replacements to ensure their network security remains robust.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial