D-Link Routers RCE (CVE-2019-16057)

2023-03-0100:00:00

www.tenable.com

d-link

routers

dns-320

rce

cve-2019-16057

command injection

remote code execution

nessus scanner

unauthenticated access

0.976 High

EPSS

Percentile

100.0%

JSON

D-Link DNS-320 through 2.05.B10 is affected by command injection in the login_mgr.cgi component, which can lead to remote arbitrary code execution. The port parameter in the script could be poisoned to execute arbitrary commands, opening the door to an RCE attack. If the vulnerability is exploited a remote, unauthenticated attacker can access all application commands with root permission.

Note that Nessus has not tested for this issue but has instead relied only on the router’s self-reported model.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(172032);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/08/09");

  script_cve_id("CVE-2019-16057");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/06");

  script_name(english:"D-Link Routers RCE (CVE-2019-16057)");

  script_set_attribute(attribute:"synopsis", value:
"The remote router is affected by a remote command execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"D-Link DNS-320 through 2.05.B10 is affected by command injection in the login_mgr.cgi component, 
which can lead to remote arbitrary code execution. The port parameter in the script could be poisoned 
to execute arbitrary commands, opening the door to an RCE attack. If the vulnerability is exploited 
a remote, unauthenticated attacker can access all application commands with root permission.

Note that Nessus has not tested for this issue but has instead relied only on the router's self-reported model.");
  # https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10123
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8234be61");
  script_set_attribute(attribute:"solution", value:
"Upgrade to a supported device.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-16057");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/04/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/03/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2023 Tenable, Inc.");

  script_dependencies("d-link_router_detect.nasl");
  script_require_keys("www/d-link", "d-link/model");
  script_require_ports("Services/www", 80);

  exit(0);
}

include('http.inc');

var model = toupper(get_kb_item_or_exit('d-link/model'));
if (model !~ "^DNS-320$")
 audit(AUDIT_HOST_NOT, 'an affected D-Link model');

if (report_paranoia < 2) audit(AUDIT_POTENTIAL_VULN, 'D-Link model ' + model);

var port = get_http_port(default:80, embedded:1);
var items = make_array('Model', model, 'Solution', 'Upgrade to a supported device');
var order = make_list('Model', 'Solution');
var report = report_items_str(report_items:items, ordered_fields:order);

security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);