Another HNAP flaw in D-Link routers

CERT recently issued an advisory about a flaw in D-Link routers, specifically, in the parsing of HNAP messages. The advisory warns that "A remote, unauthenticated attacker may be able to execute arbitrary code with root privileges." That's as bad as it gets. 

There is a list of D-Link routers known to be vulnerable (DIR-823, DIR-822, DIR-818L, DIR-895L, DIR-890L, DIR-885L, DIR-880L, DIR-868L), but Pedro Ribeiro, of Agile Information Security, who found the flaw, warned that "there might be other affected devices."

And, Marshall Honorof points out that "D-Link gives these models alternate names meant to sound sexier to consumers. For example, the DIR-895L is also known as the AC5300 Ultra Wi-Fi Router. You'll want to ... check your router's administrative login page, or just flip the physical device over to check for the model number."

dlink.router.homepage

Administering a D-Link router

To put this in perspective, HNAP, or the Home Network Administration Protocol, is a network device management protocol dating back to 2007. Cisco, which took over the protocol from Pure Networks in 2008 wrote that

Perhaps the largest and most comprehensive benefit of implementing HNAP on a network device is its ability to be silently managed by other management products. The full programmable API suite allows devices' network connections to be remotely managed and administered.

In other words, someone or something malicious can re-configure routers, NAS devices, network cameras, etc. No thanks.

Besides being an accident waiting to happen, there have been other problems with HNAP.

For one thing, it has had a long history of buggy implementations. The first flaw in HNAP that I am aware of, also involved D-Link, and it dates back to January 2010. There was another D-Link HNAP flaw in April of 2015.

HNAP has also been abused, more than once, by bad guys to learn the technical details of a router, making it easier for them to find an appropriate vulnerability to attack. Worse still, HNAP normally can not be disabled.

As someone interested in Router Security, it is not something I want on my router.

Fortunately, HNAP is dying out.

There used to be an hnap.org website, but no more. It was part of a product called Network Magic and RouterCheck wrote in 2014 that "Cisco discontinued Network Magic in August 2012 ... [and] ... most technical documentation about this once important protocol has been deleted from the internet since then." And, just yesterday, D-Link said "We have ceased use of the HNAP protocol and scheduled it's removal."

TEST YOUR ROUTER FOR HNAP

D-Link was not the only company to use HNAP, so the question is: does your router support it?

The bad news is that HNAP support may not be externalized in the router user interface. The good news, is that there is a simple test for it, something that other coverage of this flaw has failed to mention.

You can test if a router supports HNAP by typing

  http://1.2.3.4/HNAP1/

where 1.2.3.4 is the IP address of your router.

For the LAN side of a router, my September 2013 blog, Find the IP address of your home router, shows you how to find the IP address from Windows, OS X, iOS, Android and Chrome OS. 

If HNAP is enabled, you will see a web page (below) with basic device information about your router in an XML file. If HNAP is not supported, there will be some type of error about displaying the web page, perhaps a 404 Not Found error.

hnap.sample.report700

A sample HNAP report. If you see this, your router supports HNAP.

WHAT TO DO

If your router supports HNAP, then consider replacing it. At the least, contact the router vendor to see if HNAP can be disabled. Years back, when I realized that my Linksys WRT54GL router supported HNAP, and that it could not be disabled, I bought a new router.

Initially, D-Link owners had no good alternative. The flaw was discovered in July 2016 and when CERT issued their advisory on November 7th, it said they are "currently unaware of a practical solution to this problem."

But, the CERT advisory got some publicity and, on November 10th, D-Link issued some fixes. As of today (November 11th), there is updated firmware available for five router models, one model is due to be fixed today, and fixes for four other models are "Under Development." Strangely, the revised firmware is downloaded from Dropbox.com rather than from Dlink.com. At least it uses HTTPS. 

REMOTELY HACKABLE?

Whether this flaw can be exploited from the Internet is unclear.

As noted above, the CERT advisory warns about "A remote, unauthenticated attacker" and suggests disabling remote administration.

As someone interested in Router Security, let me add that everyone should disable remote administration (a.k.a. remote management). My experience has been that, as a rule, routers ship with it disabled. D-Link routers ship with it disabled

On the other hand, the initial documentation of this flaw, written by Pedro Ribeiro, says "this vulnerability can only be exploited in the LAN."

Yet, D-Link said that disabling remote administration "stops the threat of this attack from the internet-side of the device." However, the very next sentence in the D-Link advisory contradicts this: "The HNAP protocol feature is limited to the home-side, meaning LAN/WIFI-side of the device." 

So, the Defensive Computing thing to do is to test the Internet/WAN side of your router for HNAP support. It only takes a minute. 

You can learn your public IP address at many websites, such as ipchicken.com and checkip.dyndns.com. The external test is the same as the internal one,

  http://1.2.3.4/HNAP1/

just substituting the public IP address for the internal one.

I would not recommend testing the Internet facing side of a router from a computer on its LAN side. You could either have someone outside your location do it, or connect a smartphone to the Internet using the data connection from the cellphone company and then test using a browser on the phone.

On RouterSecurity.org, I argue against buying any consumer grade router. Situations like this just re-inforce this opinion.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.