CVE-2021-34204

Vulnerability

D-Link DIR-2640-US (AC2600) running firmware version 1.01B04 stores the device system account password in plain text. The router does not use Linux user management; instead, a script /sbin/storage.sh reads the administrator username and password from NVRAM (keys Login and Password) and writes them to /etc/passwd without hashing. The same default credentials are used across all devices and cannot be changed by normal users. Analysis of the firmware shows the password hash in /etc/shadow is root (e.g., salt ZVpxbK71), but direct login via console with that password fails; the effective credentials are taken from NVRAM and are stored in plain text [1].

Exploitation

An attacker must have physical access to the router's serial port. No authentication is required prior to connecting to the serial console. Once connected, the attacker can use the stored plain-text credentials (obtained from the device’s NVRAM or by dumping the firmware) to log in. The steps are: (1) gain physical access and connect to the serial port, (2) retrieve the plain-text credentials (e.g., via NVRAM dump or known default values), and (3) log in as root using those credentials [1].

Impact

Successful exploitation grants the attacker root shell access on the router. This leads to complete compromise of the device, including the ability to read and modify all configuration, monitor network traffic, and pivot to other devices on the network. Confidentiality, integrity, and availability of the router are fully compromised [1].

Mitigation

No firmware fix has been released by D-Link as of the publication date. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The vendor's security bulletin page [2] does not mention this specific issue. Users should replace the device or disable physical access to the serial port. Since the device may be end-of-life, no patch is expected [1].