Multiple D-Link routers are vulnerable to unauthenticated remote command execution.
Several D-Link routers contain CGI capability that is exposed to users as /apply_sec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws:
Any arguments after a newline character sent as ping_ipaddr in a POST to /apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable:
We have made a proof-of-concept exploit available, which will disable network connectivity for one minute on affected devices.
By performing an HTTP POST request to a vulnerable router's /apply_sec.cgi page, a remote, unauthenticated attacker may be able to execute commands with root privileges on an affected device. This action can happen as the result of viewing a specially-crafted web page.
The CERT/CC is currently unaware of a practical solution to this problem. The devices listed above are no longer supported by D-Link.
Replace affected devices
This vulnerability was coordinated and publicly disclosed by Fortinet's FortiGuard Labs.
This document was written by Will Dormann.
|Date First Published:||2019-10-23|
|Date Last Updated:||2019-10-25 11:45 UTC|