The only workaround is to disable remote administration.
So do that.
It's 2016, and D-Link still can't get its Home Network Automation Protocol (HNAP) implementation right. In a terse advisory, the Carnegie-Mellon CERT says the HNAP service in D-Link's "DIR" range of routers has a stack-based buffer overflow. “Processing malformed SOAP messages when performing the HNAP Login action causes a …
Still vulnerable to exploit from inside the LAN.
This means that if someone gets malicious code running on any PC inside your network, then they can use this vulnerability to take control of your router, and in turn use that to attack the other PCs on your network (fake DNS responses etc).
This is also a problem for coffee shops or other businesses who kindly share their Wi-Fi - any customer can hack their router.
"this and other stories like it are why i am less and less sorry for paying for a commercial grade firewall and security appliance for my home network"
Indeed, while primarily a learning exercise, I have setup a decent smart switch, router and a few subnets isolating wireless, wired and untrusted devices, squid + iptables restrict access to the router.
Although I'm not entirely sure this qualifies as a "home" network anymore, despite its location.
'As Ribeiro notes, “D-link has a long history of vulnerabilities in HNAP”, many of them attributed to embedded device hacker Craig Heffner of dev/ttyS0.'
Was Craig Heffner responsible for creating the vulnerabilities or for the discovery of them? I suspect you meant the latter but the wording implies the former.
Biting the hand that feeds IT © 1998–2020