On D-Link DIR-818LW Rev.A 2.05.B03 and DIR-860L Rev.B 2.03.B03 devices, unauthenticated remote OS command execution can occur in the soap.cgi service of the cgibin binary via an "&&" substring in the service parameter. NOTE: this issue exists because of an incomplete fix for CVE-2018-6530.
{"cve": [{"lastseen": "2022-03-23T18:20:28", "description": "OS command injection vulnerability in soap.cgi (soapcgi_main in cgibin) in D-Link DIR-880L DIR-880L_REVA_FIRMWARE_PATCH_1.08B04 and previous versions, DIR-868L DIR868LA1_FW112b04 and previous versions, DIR-65L DIR-865L_REVA_FIRMWARE_PATCH_1.08.B01 and previous versions, and DIR-860L DIR860LA1_FW110b04 and previous versions allows remote attackers to execute arbitrary OS commands via the service parameter.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-06T20:29:00", "type": "cve", "title": "CVE-2018-6530", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6530"], "modified": "2018-03-27T18:09:00", "cpe": ["cpe:/o:d-link:dir-860l_firmware:a1_fw110b04", "cpe:/o:d-link:dir-868l_firmware:a1_fw112b04", "cpe:/o:d-link:dir-880l_firmware:reva_firmware_patch_1.08b04", "cpe:/o:d-link:dir-865l_firmware:reva_firmware_patch_1.08.b01"], "id": "CVE-2018-6530", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6530", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:d-link:dir-868l_firmware:a1_fw112b04:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-860l_firmware:a1_fw110b04:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-880l_firmware:reva_firmware_patch_1.08b04:*:*:*:*:*:*:*", "cpe:2.3:o:d-link:dir-865l_firmware:reva_firmware_patch_1.08.b01:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-04-03T18:02:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-6530"], "description": "D-Link Routers DIR-860L, DIR-865L, DIR-868L and DIR-880L are prone to an OS command injection vulnerability.", "modified": "2020-04-01T00:00:00", "published": "2018-03-21T00:00:00", "id": "OPENVAS:1361412562310113142", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113142", "type": "openvas", "title": "D-Link DIR Routers OS Command Injection Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# D-Link DIR Routers OS Command Injection Vulnerability\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113142\");\n script_version(\"2020-04-01T10:41:43+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-01 10:41:43 +0000 (Wed, 01 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-03-21 10:54:55 +0100 (Wed, 21 Mar 2018)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2018-6530\");\n script_name(\"D-Link DIR Routers OS Command Injection Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_dlink_dir_detect.nasl\");\n script_mandatory_keys(\"Host/is_dlink_dir_device\", \"d-link/dir/fw_version\");\n\n script_xref(name:\"URL\", value:\"ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-860L/REVA/DIR-860L_REVA_FIRMWARE_PATCH_NOTES_1.11B01_EN_WW.pdf\");\n script_xref(name:\"URL\", value:\"ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-865L/REVA/DIR-865L_REVA_FIRMWARE_PATCH_NOTES_1.10B01_EN_WW.pdf\");\n script_xref(name:\"URL\", value:\"ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-868L/REVA/DIR-868L_REVA_FIRMWARE_PATCH_NOTES_1.20B01_EN_WW.pdf\");\n script_xref(name:\"URL\", value:\"ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-880L/REVA/DIR-880L_REVA_FIRMWARE_PATCH_NOTES_1.08B06_EN_WW.pdf\");\n\n script_tag(name:\"summary\", value:\"D-Link Routers DIR-860L, DIR-865L, DIR-868L and DIR-880L are prone to an OS command injection vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"The script checks if the target is an affected device running a vulnerable Firmware version.\");\n\n script_tag(name:\"insight\", value:\"The OS command injection is possible through the service parameter in soap.cgi.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to execute arbitrary OS commands,\n effectively gaining complete control over the target system.\");\n\n script_tag(name:\"affected\", value:\"D-Link DIR-860L through Firmware version 1.10b04\n\n D-Link DIR-865L through Firmware version 1.08b01\n\n D-Link DIR-868L through Firmware version 1.12b04\n\n D-Link DIR-880L through Firmware version 1.08b04\");\n\n script_tag(name:\"solution\", value:\"Update to DIR-860L 1.11, DIR-865L 1.10, DIR-868L 1.20 or DIR-880L 1.08b06 respectively.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ncpe_list = make_list( \"cpe:/o:d-link:dir-860l_firmware\",\n\"cpe:/o:d-link:dir-865l_firmware\",\n\"cpe:/o:d-link:dir-868l_firmware\",\n\"cpe:/o:d-link:dir-880l_firmware\" );\n\nif( ! infos = get_app_port_from_list( cpe_list:cpe_list ) )\n exit( 0 );\n\ncpe = infos[\"cpe\"];\nport = infos[\"port\"];\n\nif( ! version = get_app_version( cpe:cpe, port:port ) )\n exit( 0 );\n\nif( \"dir-860l\" >< cpe ) {\n device = \"DIR-860L\";\n fixed_ver = \"1.11\";\n} else if( \"dir-865l\" >< cpe ) {\n device = \"DIR-865L\";\n fixed_ver = \"1.10\";\n} else if( \"dir-868l\" >< cpe ) {\n device = \"DIR-868L\";\n fixed_ver = \"1.20\";\n} else if( \"dir-880l\" >< cpe ) {\n device = \"DIR-880L\";\n fixed_ver = \"1.08\";\n}\n\nif( device && fixed_ver ) {\n if( version_is_less( version:version, test_version:fixed_ver ) ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fixed_ver, extra:\"The target device is a \" + device );\n security_message( data:report, port:port );\n exit( 0 );\n }\n exit( 99 );\n}\n\nexit( 0 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
CVE-2018-20114
