The first mode of attack is open to hackers targeting routers via the Internet, while the second can be used when they aren't able to access them directly. In this second case, all they need is to set up a specially crafted webpage that, when the router owners' land on it, makes the request be sent automatically to the router via the local network.
According to the timeline he shared in his blog post, he notified D-Link about the existence of the flaw back in December 2012. The company responded a little less than two weeks ago, claiming that the problem is browser-related and that they are not planning on providing a fix.
Not satisfied with the answer, Messner sent them more details and input about the vulnerability with the hope that they would evaluate its severity again and change their minds about patching it. Having received no response in the meantime, he decided to go public with the discovery.
His findings have been confirmed by the heise Security, and the list of affected devices and firmware versions includes the DIR-300 router (firmware version 2.12 and 2.13) and the DIR-600 router (firmware version 2.12b02, 2.13b01 and 2.14b01).
Since there are no current mitigations for the attacks, they advise decommissioning the affected routers until D-Link offers a fix.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.