• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

D-Link AirPlus DI-614+ and DI-604 DHCP Server Flooding Denial

tdinc

█▄█ ▀█▄ █
Political User
#1
The D-Link DI-614+ and DI-604 are reported susceptible to a denial of service vulnerability in their DHCP service.

By flooding the DHCP service with valid DHCP requests, the device will reportedly consume all available memory and eventually reboot.

An attacker may be able to deny service to legitimate users of an affected device by repeatedly causing the device to reboot.

The DI-614+ with firmware revision 2.30, and the DI-604 with unknown firmware were reported vulnerable.

Reportedly, firmware revision 3.41 has been released for the DI-614+ Revision B device. Neither the Revision A device (with two antennas), nor the DI-604 device, have new firmware versions to resolve this issue.

Please contact D-Link for further information.



| The DI614+ SOHO router (latest firmware rev 2.30) will automaticaly
| reboot when flooded with valid DHCP REQUEST packets built with
| forged source mac addresses or unique CLIENTID and sent without any
| REQUESTEIP option. Upon reception of this kind of requests, DLINK's
| DI614+ normally behaves by checking if a lease is available and
| then reply by offering an ip address along with other network
| settings as configured through the web base interface. However if
| such packets are sent at a good enough rate, the DLINK box will be
| left in an unstable state immediately followed by a system reboot.
| Timing is quite important here and make me thinking that too much
| simultaneous requests force the SOHO router to eventually allocate
| too much memory and thus to reboot. It is actually hard to know
| with precision where the problem actually lives since no sources
| are made available for public.
|
| Note that a reboot will clear any existing lease (as well as logs)
| and may introduce a subsequent chaos between DHCP clients. Also
| note that only few seconds are necessary to DOS the box this way,
| even less time than needed by the system to reboot. So it is a
| condition of permanent denial of service.
|
| DLINK 614+ is used, among others, by coffee shops, therefore a
| successful exploitation may have very disturbing effects.
|
|
| EXPLOITATION:
|
| This bug will NOT be triggered if a REQUESTIP DHCP option is sent
| along with the request or if no ip address is available for dynamic
| lease at the time of the attack.
|
| Also for a successful exploitation, packets must be sent at a high
| enough rate (ie: 50 packets/s is working)
|
|
| VENDOR:
|
| DLINK's support staff has been contacted but doesn't
| bother to reply
|
|
| WORKAROUND:
|
| Use static leasing only and/or disable DLINK's DHCP service
|
|
| VULNERABLE:
|
| firmware up to rev 2.30 (latest)
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,962
Messages
673,240
Members
89,017
Latest member
loxioalix