D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.
**Recent assessments:**
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0
{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:34:05", "description": "A command injection vulnerability exists in D-Link DNS-320. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-18T00:00:00", "type": "checkpoint_advisories", "title": "D-Link DNS-320 Command Injection (CVE-2020-25506)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25506"], "modified": "2021-02-18T00:00:00", "id": "CPAI-2020-3260", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2021-07-24T16:14:55", "description": "", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "seebug", "title": "D-Link DNS-320 \u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff08CVE-2020-25506\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-25506"], "modified": "2021-03-10T00:00:00", "id": "SSV:99154", "href": "https://www.seebug.org/vuldb/ssvid-99154", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T15:50:11", "description": "D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-02T13:15:00", "type": "cve", "title": "CVE-2020-25506", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25506"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/o:dlink:dns-320_firmware:2.06b01"], "id": "CVE-2020-25506", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25506", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:dlink:dns-320_firmware:2.06b01:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2021-03-17T20:47:24", "description": "A new variant of the Mirai botnet has been discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear and SonicWall devices \u2014 as well as never-before-seen flaws in unknown internet-of-things (IoT) gadgets.\n\nSince Feb. 16, the new variant has been targeting six known vulnerabilities \u2013 and three previously unknown ones \u2013 in order to infect systems and add them to a botnet. It\u2019s only the latest variant of Mirai [to come to light](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>), years after source code for the malware [was released](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>) in October 2016.\n\n\u201cThe attacks are still ongoing at the time of this writing,\u201d said researchers with Palo Alto Networks\u2019 Unit 42 team [on Monday](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>). \u201cUpon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers.\u201d\n\n## **Initial Exploit: New and Old Flaws**\n\nThe attacks leverage a number of vulnerabilities. The known vulnerabilities exploited include: A SonicWall SSL-VPN exploit; a D-Link DNS-320 firewall exploit ([CVE-2020-25506](<https://nvd.nist.gov/vuln/detail/CVE-2020-25506>)); Yealink Device Management remote code-execution (RCE) flaws ([CVE-2021-27561 and CVE-2021-27562](<https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/>)); a Netgear ProSAFE Plus RCE flaw ([CVE-2020-26919](<https://nvd.nist.gov/vuln/detail/CVE-2020-26919>)); an RCE flaw in Micro Focus Operation Bridge Reporter ([CVE-2021-22502](<https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md>)); and a Netis WF2419 wireless router exploit ([CVE-2019-19356](<https://nvd.nist.gov/vuln/detail/CVE-2019-19356>) ).\n\nPatches are available for all of these flaws; the botnet is targeting devices that have not yet applied the available updates.\n\nFor instance, \u201cthe VisualDoor exploit in question targets an old SSL-VPN firmware vulnerability that was patched on legacy products in 2015 with 7.5.1.4-43sv and 8.0.0.4-25sv releases,\u201d a SonicWall spokesperson told Threatpost. \u201cIt is not viable against any properly patched SonicWall appliances.\u201d\n\nThe botnet also exploited vulnerabilities that were not previously identified. Researchers believe that these flaws exist in IoT devices.\n\n\u201cWe cannot say with certainty what the targeted devices are for the unidentified exploits,\u201d Zhibin Zhang, principal researcher for Unit 42, told Threatpost. \u201cHowever, based off of the other known exploits in the samples, as well as the nature of exploits historically selected to be incorporated with Mirai, it is highly probable they target IoT devices.\u201d\n\nThe exploits themselves include two RCE attacks \u2014 including an exploit targeting a command-injection vulnerability in certain components; and an exploit targeting the Common Gateway Interface (CGI) login script (stemming from a key parameter not being properly sanitized). The third exploit targets the op_type parameter, which is not properly sanitized leading to a command injection, said researchers.\n\nThe latter has \u201cbeen observed in the past being [used by [the] Moobot [botnet]](<https://threatpost.com/mootbot-fiber-routers-zero-days/154962/>), however the exact target is unknown,\u201d researchers noted. Threatpost has reached out to researchers for further information on these unknown targets.\n\n## **Mirai Botnet: A Set of Binaries**\n\nAfter initial exploitation, the malware invokes the wget utility (a legitimate program that retrieves content from web servers) in order to download a shell script from the malware\u2019s infrastructure. The shell script then downloads several Mirai binaries and executes them, one-by-one.\n\nOne such binary includes lolol.sh, which has multiple functions. Lolol.sh deletes key folders from the target machine (including ones with existing scheduled jobs and startup scripts); creates packet filter rules to bar incoming traffic directed at the commonly-used SSH, HTTP and telnet ports (to make remote access to the affected system more challenging for admins); and schedules a job that aims to rerun the lolol.sh script every hour (for persistence). Of note, this latter process is flawed, said researchers, as the cron configuration is incorrect.\n\nAnother binary (install.sh) downloads various files and packages \u2013 including GoLang v1.9.4, the \u201cnbrute\u201d binaries (that [brute-force various credentials](<https://threatpost.com/millions-brute-force-attacks-rdp/155324/>)) and the combo.txt file (which contains numerous credential combinations, to be used for brute-forcing by \u201cnbrute\u201d).\n\nThe final binary is called dark.[arch], and is based on the Mirai codebase. This binary mainly functions for propagation, either via the various initial Mirai exploits described above, or via brute-forcing SSH connections using hardcoded credentials in the binary.\n\n## **Mirai Variants Continue to Pop Up**\n\nThe variant is only the latest to rely on Mirai\u2019s source code, [which has proliferated into more than 60 variants](<https://threatpost.com/mirai-botnet-sees-big-2019-growth-shifts-focus-to-enterprises/146547/>) since bursting on the scene with a massive distributed denial of service (DDoS) [takedown of DNS provider Dyn](<https://threatpost.com/dyn-confirms-ddos-attack-affecting-twitter-github-many-others/121438/>) in 2016.\n\nLast year, a Mirai variant was found [targeting Zyxel network-attached storage (NAS) devices](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>) using a critical vulnerability that was only recently discovered, according to security researchers. In 2019, [a variant of the botnet](<https://threatpost.com/mirai-enterprise-systems/142889/>) was found sniffing out and targeting vulnerabilities in enterprise wireless presentation and display systems. And, a 2018 variant [was used to launch a series of DDoS campaigns](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>) against financial-sector businesses.\n\nResearchers said that the biggest takeaway here is that connected devices continue to pose a security problem for users. They strongly advised customers to apply patches whenever possible.\n\n\u201cThe IoT realm remains an easily accessible target for attackers,\u201d according to Unit 42\u2019s report. \u201cMany vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences.\u201d\n\n**_Check out our free [upcoming live webinar events](<https://threatpost.com/category/webinars/>) \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * March 24: **Economics of 0-Day Disclosures: The Good, Bad and Ugly **([Learn more and register!](<https://threatpost.com/webinars/economics-of-0-day-disclosures-the-good-bad-and-ugly/>))\n * April 21: **Underground Markets: A Tour of the Dark Economy **([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/>))\n", "cvss3": {}, "published": "2021-03-16T16:57:46", "type": "threatpost", "title": "Latest Mirai Variant Targets SonicWall, D-Link and IoT Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19356", "CVE-2020-25506", "CVE-2020-26919", "CVE-2021-22502", "CVE-2021-27561", "CVE-2021-27562"], "modified": "2021-03-16T16:57:46", "id": "THREATPOST:3F4C590CA1F6027665DF96DF6D651032", "href": "https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:02", "description": "[](<https://thehackernews.com/images/-RHtuGy5HftM/YFCJDLIpWjI/AAAAAAAACCw/pM55oGojHcUHm6M2-ZX9QAX6Z-Nm1z4UACLcBGAsYHQ/s0/botnet.jpg>)\n\nCybersecurity researchers on Monday disclosed a new wave of ongoing attacks exploiting multiple vulnerabilities to deploy new Mirai variants on internet connected devices.\n\n\"Upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers,\" Palo Alto Networks' Unit 42 Threat Intelligence Team [said](<https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/>) in a write-up.\n\nThe rash of vulnerabilities being exploited include:\n\n * [VisualDoor](<https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/>) \\- a SonicWall SSL-VPN remote command injection vulnerability that came to light earlier this January\n * [CVE-2020-25506](<https://nvd.nist.gov/vuln/detail/CVE-2020-25506>) \\- a D-Link DNS-320 firewall remote code execution (RCE) vulnerability\n * [CVE-2021-27561 and CVE-2021-27562](<https://ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/>) \\- Two vulnerabilities in Yealink Device Management that allow an unauthenticated attacker to run arbitrary commands on the server with root privileges\n * [CVE-2021-22502](<https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md>) \\- an RCE flaw in Micro Focus Operation Bridge Reporter (OBR), affecting version 10.40\n * [CVE-2019-19356](<https://nvd.nist.gov/vuln/detail/CVE-2019-19356>) \\- a Netis WF2419 wireless router RCE exploit, and\n * [CVE-2020-26919](<https://nvd.nist.gov/vuln/detail/CVE-2020-26919>) \\- a Netgear ProSAFE Plus RCE vulnerability\n\n\"The VisualDoor exploit in question targets an old SSL-VPN firmware vulnerability that was patched on legacy products in 2015 with 7.5.1.4-43sv and 8.0.0.4-25sv releases,\" SonicWall said in a statement to The Hacker News. \"It is not viable against any properly patched SonicWall appliances.\"\n\nAlso included in the mix are three previously undisclosed command injection vulnerabilities that were deployed against unknown targets, one of which, according to the researchers, has been observed in conjunction with a separate botnet by the name of [MooBot](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot>).\n\nThe attacks are said to have been detected over a month-long period starting from February 16 to as recent as March 13.\n\nRegardless of the flaws used to achieve successful exploitation, the attack chain involves the use of wget utility to download a shell script from the malware infrastructure that's then used to fetch [Mirai](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai>) binaries, a notorious malware that turns networked IoT devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.\n\nBesides downloading Mirai, additional shell scripts have been spotted retrieving executables to facilitate brute-force attacks to break into vulnerable devices with weak passwords.\n\n\"The IoT realm remains an easily accessible target for attackers. Many vulnerabilities are very easy to exploit and could, in some cases, have catastrophic consequences,\" the researcher said.\n\n### New ZHtrap Botnet Traps Victims Using a Honeypot\n\nIn a related development, researchers from Chinese security firm Netlab 360 discovered a new Mirai-based botnet called ZHtrap that makes use of a honeypot to harvest additional victims, while borrowing some features from a DDoS botnet known as [Matryosh](<https://thehackernews.com/2021/02/beware-new-matryosh-ddos-botnet.html>).\n\n[](<https://thehackernews.com/images/-uqNg1z1INRs/YFCGXS3KMzI/AAAAAAAACCo/_lMwW_bvOD8a4SK4Ri190P4PBgrM4o2AQCLcBGAsYHQ/s0/botnet-malwar.jpg>)\n\nWhile honeypots typically mimic a target for cyber criminals so as to take advantage of their intrusion attempts to glean more information about their modus operandi, the ZHtrap botnet uses a similar technique by integrating a scanning IP collection module for gathering IP addresses that are used as targets for further worm-like propagation.\n\nIt achieves this by listening on 23 designated ports and identifying IP addresses that connect to these ports, then using the amassed IP addresses to inspect them for four vulnerabilities to inject the payload -\n\n * MVPower DVR Shell [unauthenticated RCE](<https://www.exploit-db.com/exploits/41471>)\n * Netgear DGN1000 Setup.cgi [unauthenticated RCE](<https://www.exploit-db.com/exploits/43055>)\n * [CCTV DVR RCE](<https://www.exploit-db.com/exploits/39596>) affecting multiple vendors, and\n * Realtek SDK miniigd SOAP [command execution](<https://www.exploit-db.com/exploits/37169>) (CVE-2014-8361)\n\n\"ZHtrap's propagation uses four N-day vulnerabilities, the main function is DDoS and scanning, while integrating some backdoor features,\" the researchers [said](<https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/>). \"Zhtrap sets up a honeypot on the infected device, [and] takes snapshots for the victim devices, and disables the running of new commands based on the snapshot, thus achieving exclusivity over the device.\"\n\n[](<https://thehackernews.com/images/-Uzpn4VdFyoE/YFCEwPNpN2I/AAAAAAAACCk/OLQNFZXfk90IMbMQYZNw8YzlN-g5YeszgCLcBGAsYHQ/s0/botnet-malware.jpg>)\n\nOnce it has taken over the devices, ZHtrap takes a cue from the Matryosh botnet by using Tor for communications with a command-and-control server to download and execute additional payloads.\n\nNoting that the attacks began from February 28, 2021, the researchers said ZHtrap's ability to turn infected devices into honeypots marks an \"interesting\" evolution of botnets to facilitate finding more targets.\n\nThese Mirai-based botnets are the latest to spring up on the threat landscape, in part fanned by the availability of Mirai's source code on the Internet since 2016, opening the field wide open for other attackers to build their own variants.\n\nLast March, researchers discovered a Mirai variant called \"[Mukashi](<https://thehackernews.com/2020/03/zyxel-mukashi-mirai-iot-botnet.html>),\" which was found targeting Zyxel network-attached storage (NAS) devices to conscript them into a botnet. Then in October 2020, Avira's IoT research team identified another variant of the Mirai botnet named \"[Katana](<https://www.avira.com/en/blog/katana-a-new-variant-of-the-mirai-botnet>),\" which exploited remote code execution vulnerabilities to infect D-Link DSL-7740C routers, DOCSIS 3.1 wireless gateway devices, and Dell PowerConnect 6224 Switches.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-16T10:32:00", "type": "thn", "title": "New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-8361", "CVE-2019-19356", "CVE-2020-25506", "CVE-2020-26919", "CVE-2021-22502", "CVE-2021-27561", "CVE-2021-27562"], "modified": "2021-03-18T03:14:02", "id": "THN:3907AE12F794F0523BEE196D6543A50F", "href": "https://thehackernews.com/2021/03/new-mirai-variant-and-zhtrap-botnet.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2020-25506
