==================================================================== CERT-Renater Note d'Information No. 2019/VULN337 _____________________________________________________________________ DATE : 25/10/2019 HARDWARE PLATFORM(S): D-Link routers. OPERATING SYSTEM(S): D-Link routers software. ===================================================================== https://kb.cert.org/vuls/id/766427/ _____________________________________________________________________ Multiple D-Link routers vulnerable to remote command execution Vulnerability Note VU#766427 Original Release Date: 2019-10-23 | Last Revised: 2019-10-23 Overview Multiple D-Link routers are vulnerable to unauthenticated remote command execution. Description Several D-Link routers contain CGI capability that is exposed to users as /apply_sec.cgi, and dispatched on the device by the binary /www/cgi/ssi. This CGI code contains two flaws: The /apply_sec.cgi code is exposed to unauthenticated users. The ping_ipaddr argument of the ping_test action fails to properly handle newline characters. Any arguments after a newline character sent as ping_ipaddr in a POST to /apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable: DIR-655 DIR-866L DIR-652 DHP-1565 DIR-855L DAP-1533 DIR-862L DIR-615 DIR-835 DIR-825 Impact By performing an HTTP POST request to a vulnerable router's /apply_sec.cgi page, a remote, unauthenticated attacker may be able to execute commands with root privileges on an affected device. This action can happen as the result of viewing a specially-crafted web page. Solution The CERT/CC is currently unaware of a practical solution to this problem. The devices listed above are no longer supported by D-Link. Replace affected devices Because D-Link is not providing updates to the devices listed above, it is important to replace any affected device with one that is currently supported by the vendor. Vendor Information D-Link Systems, Inc. Updated: October 21, 2019 Status Affected Vendor Statement No statement is currently available from the vendor regarding this vulnerability. Vendor Information We are not aware of further vendor information regarding this vulnerability. CVSS Metrics Group Score Vector Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal 9 E:POC/RL:U/RC:C Environmental 6.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND References https://www.fortinet.com/blog/threat-research/d-link-routers-found-vulnerable-rce.html https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3 https://tools.ietf.org/html/rfc3875 Acknowledgements This vulnerability was coordinated and publicly disclosed by Fortinet's FortiGuard Labs. This document was written by Will Dormann. Other Information CVE IDs: CVE-2019-16920 Date Public: 2019-10-03 Date First Published: 2019-10-23 Date Last Updated: 2019-10-23 18:02 UTC Document Revision: 10 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================