Overview
Multiple D-Link routers are vulnerable to unauthenticated remote command execution.
Description
Several D-Link routers contain CGI capability that is exposed to users as /apply_sec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws:
Any arguments after a newline character sent as ping_ipaddr in a POST to /apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable:
DIR-866L DIR-652 DHP-1565 DIR-855L DAP-1533 DIR-862L DIR-615 DIR-835 DIR-825 We have made a proof-of-concept exploit available, which will disable network connectivity for one minute on affected devices. |
Impact
By performing an HTTP POST request to a vulnerable router's /apply_sec.cgi page, a remote, unauthenticated attacker may be able to execute commands with root privileges on an affected device. This action can happen as the result of viewing a specially-crafted web page. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. The devices listed above are no longer supported by D-Link. |
Replace affected devices |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 9 | E:POC/RL:U/RC:C |
| Environmental | 6.7 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
This vulnerability was coordinated and publicly disclosed by Fortinet's FortiGuard Labs.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2019-16920 |
| Date Public: | 2019-10-03 |
| Date First Published: | 2019-10-23 |
| Date Last Updated: | 2019-10-25 11:45 UTC |
| Document Revision: | 13 |