D-Link DSL-2640B ADSL Router – ‘dnscfg’ Remote DNS Change

Details of BNVL-2018-0052

What does the BNVL label mean?

BitNinja Server Security’s BNVL identifiers are intended for use to identify publicly known information security vulnerabilities in publicly released software packages. This project was designed to collect and analyze attack information from the BitNinja network after cluster analysis by the AI-powered Attack Vector Miner. More than 100 vulnerability types have been discovered with this project so far, so we decided to publish this platform to help to keep Linux server owners up-to-date.

Important! All listed BNVL vulnerabilities are protected by BitNinja PRO, so please check your configurations if your infrastructure is affected by any of them.

Syntax for BNVL labels:

BNVL prefix + Year + Arbitrary Digits


Name : 
D-Link DSL-2640B ADSL Router – ‘dnscfg’ Remote DNS Change
Related Links: https://www.proofpoint.com/us/threat-insight/post/Phish-Pharm
                         https://www.exploit-db.com/exploits/42197/ 

CVE ID: Na

Description
The vulnerability exist in the web interface, which is 

accessible without authentication.

Once modified, systems use foreign DNS servers, which are
usually set up by cybercriminals. Users with vulnerable
systems or devices who try to access certain sites are
instead redirected to possibly malicious sites.

Modifying systems’ DNS settings allows cybercriminals to
perform malicious activities like:

o Steering unknowing users to bad sites:
These sites can be phishing pages that
spoof well-known sites in order to
trick users into handing out sensitive
information.

o Replacing ads on legitimate sites:
Visiting certain sites can serve users
with infected systems a different set
of ads from those whose systems are
not infected.

o Controlling and redirecting network traffic:
Users of infected systems may not be granted
access to download important OS and software
updates from vendors like Microsoft and from
their respective security vendors.

o Pushing additional malware:
Infected systems are more prone to other
malware infections (e.g., FAKEAV infection).

Pattern: dnscfg.cgi
             dnsPrimary=
             dnsSecondary=