No patch for remote code-execution bug in D-Link and Trendnet routers

Home and small-office routers from manufacturers including Trendnet and D-Link are vulnerable to attacks that allow attackers anywhere in the world to execute malicious code on the devices, according to an advisory issued over the weekend.

The remote command-injection bug affects routers that were developed using the RealTek software development kit. That includes routers from Trendnet and D-Link, according to the developer who discovered the vulnerability. There’s no comprehensive list of manufacturers or models that are affected, though more technical users may be able to spot them by using the Metasploit framework to query their router. If the response contains “RealTek/v1.3” or similar, it’s likely vulnerable.

The remote code-execution vulnerability resides in the “miniigd SOAP service” as implemented by the RealTek SDK. Security researcher Ricky “HeadlessZeke” Lawshae reported it to HP’s Zero Day Initiative (ZDI) in August 2013. ZDI, which uses such vulnerability information to block attacks in its line of intrusion prevention services, then reported it to officials inside RealTek. After 20 months of inaction, the HP division disclosed it publicly even though no fix has been released.