CVE-2018-6210 – D-Link DIR-620 routers with Rostelekom firmware... (How to Fix)

Q: What is the severity of CVE-2018-6210?

CVE-2018-6210 has a CVSS score of 9.8 (CRITICAL). D-Link DIR-620 routers with Rostelekom firmware version 1.0.37 contain a hardcoded 'rostel' account that allows remote attackers to gain administrative access via TELNET. This affects all devices running this specific firmware variant, making them vulnerable to complete compromise. Attackers can exploit this without any authentication.

📋 TL;DR

D-Link DIR-620 routers with Rostelekom firmware version 1.0.37 contain a hardcoded 'rostel' account that allows remote attackers to gain administrative access via TELNET. This affects all devices running this specific firmware variant, making them vulnerable to complete compromise. Attackers can exploit this without any authentication.

💻 Affected Systems

Products:

D-Link DIR-620

Versions: Rostelekom firmware variant 1.0.37

Operating Systems: Embedded router OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Rostelekom-specific firmware variant; standard D-Link firmware may not be vulnerable. TELNET service is typically enabled by default.

📦 What is this software?

Dir 620 Firmware by Dlink

View all CVEs affecting Dir 620 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and disable security controls.

🟠

Likely Case

Attackers gain administrative access to modify router settings, redirect DNS, capture credentials, and use the device as a foothold for further attacks.

🟢

If Mitigated

If TELNET is disabled and firmware is updated, risk is significantly reduced though the backdoor remains in the firmware.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing and TELNET is often enabled by default on affected devices.

🏢 Internal Only: MEDIUM - If TELNET is accessible from internal networks, attackers with internal access can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial: telnet to router IP and login with hardcoded credentials 'rostel' account. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later firmware versions remove the hardcoded account

Vendor Advisory: https://support.dlink.com/

Restart Required: Yes

Instructions:

1. Download latest firmware from D-Link support site. 2. Log into router web interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload new firmware file. 5. Wait for reboot (do not interrupt power).

🔧 Temporary Workarounds

Disable TELNET service

all

Prevents remote exploitation by disabling the vulnerable TELNET service

telnet_enable=0
service telnet stop

Block TELNET at firewall

linux

Block TELNET port 23 at network perimeter

iptables -A INPUT -p tcp --dport 23 -j DROP

🧯 If You Can't Patch

Replace affected devices with non-vulnerable models
Isolate routers in separate VLAN with strict access controls

🔍 How to Verify

Check if Vulnerable:

Attempt TELNET connection to router on port 23 and try to login with 'rostel' account

Check Version:

Check router web interface under Status > Device Info or run 'cat /proc/version' via SSH if available

Verify Fix Applied:

After firmware update, verify TELNET connection fails or requires proper authentication

📡 Detection & Monitoring

Log Indicators:

Failed/successful TELNET authentication attempts
Login attempts with 'rostel' username

Network Indicators:

TELNET connections to router on port 23
Unusual outbound traffic from router

SIEM Query:

source="router.log" AND (event="telnet_login" OR username="rostel")

📊 Metadata

CVE ID: CVE-2018-6210

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: June 19, 2018

Last Updated: November 21, 2024

🔗 References

https://securelist.com/backdoors-in-d-links-backyard/85530/ Third Party Advisory
https://securelist.com/backdoors-in-d-links-backyard/85530/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-6210, you might also want to check these: