CERTVU:766427Multiple D-Link routers vulnerable to remote command execution
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.8%
Overview
Multiple D-Link routers are vulnerable to unauthenticated remote command execution.
Description
Several D-Link routers contain CGI capability that is exposed to users as /apply_sec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws:
- The
/apply_sec.cgicode is exposed to unauthenticated users. - The
ping_ipaddrargument of theping_testaction fails to properly handle newline characters.
Any arguments after a newline character sent as ping_ipaddr in a POST to /apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable:
DIR-655
DIR-866L
DIR-652
DHP-1565
DIR-855L
DAP-1533
DIR-862L
DIR-615
DIR-835
DIR-825
We have made a proof-of-concept exploit available, which will disable network connectivity for one minute on affected devices.
Impact
By performing an HTTP POST request to a vulnerable routerβs /apply_sec.cgi page, a remote, unauthenticated attacker may be able to execute commands with root privileges on an affected device. This action can happen as the result of viewing a specially-crafted web page.
Solution
The CERT/CC is currently unaware of a practical solution to this problem. The devices listed above are no longer supported by D-Link.
Replace affected devices
Because D-Link is not providing updates to the devices listed above, it is important to replace any affected device with one that is currently supported by the vendor.
Vendor Information
766427
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
D-Link Systems, Inc. Affected
Updated: October 21, 2019
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 9 | E:POC/RL:U/RC:C |
| Environmental | 6.7 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- <https://www.fortinet.com/blog/threat-research/d-link-routers-found-vulnerable-rce.html>
- <https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3>
- <https://tools.ietf.org/html/rfc3875>
Acknowledgements
This vulnerability was coordinated and publicly disclosed by Fortinetβs FortiGuard Labs.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2019-16920 |
|---|---|
| Date Public: | 2019-10-03 Date First Published: |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.8%