search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Multiple D-Link routers vulnerable to remote command execution

Vulnerability Note VU#766427

Original Release Date: 2019-10-23 | Last Revised: 2019-10-25

Overview

Multiple D-Link routers are vulnerable to unauthenticated remote command execution.

Description

Several D-Link routers contain CGI capability that is exposed to users as /apply_sec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws:

  1. The /apply_sec.cgi code is exposed to unauthenticated users.
  2. The ping_ipaddr argument of the ping_test action fails to properly handle newline characters.

Any arguments after a newline character sent as ping_ipaddr in a POST to /apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable:
    DIR-655
    DIR-866L
    DIR-652
    DHP-1565
    DIR-855L
    DAP-1533
    DIR-862L
    DIR-615
    DIR-835
    DIR-825

We have made a proof-of-concept exploit available, which will disable network connectivity for one minute on affected devices.

Impact

By performing an HTTP POST request to a vulnerable router's /apply_sec.cgi page, a remote, unauthenticated attacker may be able to execute commands with root privileges on an affected device. This action can happen as the result of viewing a specially-crafted web page.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. The devices listed above are no longer supported by D-Link.

Replace affected devices

Because D-Link is not providing updates to the devices listed above, it is important to replace any affected device with one that is currently supported by the vendor.

Vendor Information

766427
 
Expand all

D-Link Systems, Inc. Affected

Updated:  October 21, 2019

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9 E:POC/RL:U/RC:C
Environmental 6.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This vulnerability was coordinated and publicly disclosed by Fortinet's FortiGuard Labs.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2019-16920
Date Public: 2019-10-03
Date First Published: 2019-10-23
Date Last Updated: 2019-10-25 11:45 UTC
Document Revision: 13

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis