CVE-2020-29324 – CVE-2020-29324 is a credentials disclosure vuln... (How to Fix)

Q: What is the severity of CVE-2020-29324?

CVE-2020-29324 has a CVSS score of 7.5 (HIGH). CVE-2020-29324 is a credentials disclosure vulnerability in D-Link DIR-895L MFC routers where hardcoded telnet credentials can be extracted through firmware decompilation. This allows unauthenticated attackers to gain access to the router's firmware and extract sensitive data. Affected users are those running vulnerable firmware versions on these specific router models.

📋 TL;DR

CVE-2020-29324 is a credentials disclosure vulnerability in D-Link DIR-895L MFC routers where hardcoded telnet credentials can be extracted through firmware decompilation. This allows unauthenticated attackers to gain access to the router's firmware and extract sensitive data. Affected users are those running vulnerable firmware versions on these specific router models.

💻 Affected Systems

Products:

D-Link DIR-895L MFC Router

Versions: v1.21b05 and potentially earlier versions

Operating Systems: Router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in firmware itself; telnet service may be enabled by default or through specific configurations.

📦 What is this software?

Dir 895l Mfc Firmware by Dlink

View all CVEs affecting Dir 895l Mfc Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attacker to intercept all network traffic, modify DNS settings, install malware, and pivot to internal network devices.

🟠

Likely Case

Router takeover enabling traffic monitoring, credential theft from unencrypted connections, and network disruption.

🟢

If Mitigated

Limited impact if telnet service is disabled and firmware is updated, though risk remains if credentials are reused elsewhere.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and telnet service may be exposed to WAN.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if telnet is enabled on LAN interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires firmware extraction and credential discovery, but tools exist for this process. Telnet access provides immediate administrative control.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check D-Link for latest firmware (specific version not publicly documented for this CVE)

Vendor Advisory: https://support.dlink.com/

Restart Required: Yes

Instructions:

1. Visit D-Link support site. 2. Download latest firmware for DIR-895L MFC. 3. Log into router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Telnet Service

all

Turn off telnet service to prevent credential-based access

Login to router admin interface and disable telnet in services/administration settings

Change Default Credentials

all

Change all router credentials including admin password

Login to router admin interface and change passwords in administration settings

🧯 If You Can't Patch

Disable telnet service immediately and use SSH instead if available
Isolate router on separate VLAN with strict firewall rules limiting access

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System or Status section. If version is v1.21b05 or earlier, assume vulnerable.

Check Version:

telnet [router_ip] (if enabled) or check web interface at http://[router_ip]

Verify Fix Applied:

Verify firmware version has been updated to latest available from D-Link and telnet service is disabled.

📡 Detection & Monitoring

Log Indicators:

Failed/successful telnet authentication attempts
Firmware modification logs
Unusual administrative access patterns

Network Indicators:

Telnet connections to router on port 23
Unusual outbound traffic from router
DNS query anomalies

SIEM Query:

source="router_logs" AND (event="telnet_login" OR event="firmware_update")

📊 Metadata

CVE ID: CVE-2020-29324

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-312

Published: June 4, 2021

Last Updated: November 21, 2024

🔗 References

https://cybersecurityworks.com/zerodays/cve-2020-29324-d-link-router-dir-895l-mfc-telnet-hardcoded-credentials.html Exploit,Third Party Advisory
https://cybersecurityworks.com/zerodays/cve-2020-29324-d-link-router-dir-895l-mfc-telnet-hardcoded-credentials.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-29324, you might also want to check these: