SB2020012914 - Multiple vulnerabilities in D-Link DIR-859
Published: January 29, 2020 Updated: June 29, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) OS Command Injection (CVE-ID: CVE-2019-17621)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the UPnP endpoint URL in /gena.cgi. A remote unauthenticated attacker can send a specially crafted HTTP SUBSCRIBE request to the UPnP service when connecting to the local network and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Information disclosure (CVE-ID: CVE-2019-20213)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insufficient protection of user-supplied input in the "AUTHORIZED_GROUP=1%0a" value, as demonstrated by "vpnconfig.php" file. A remote attacker can gain unauthorized access to sensitive information on the system.
3) OS Command Injection (CVE-ID: CVE-2019-20217)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to the SERVER_ID is mishandled in the "ssdpcgi()" function in "/htdocs/cgibin". A remote unauthenticated attacker can execute arbitrary OS commands on the target system via the urn: to the M-SEARCH method.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) OS Command Injection (CVE-ID: CVE-2019-20216)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to the REMOTE_PORT is mishandled in the "ssdpcgi()" function in "/htdocs/cgibin". A remote unauthenticated attacker can execute arbitrary OS commands on the target system via urn: to the M-SEARCH method.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) OS Command Injection (CVE-ID: CVE-2019-20215)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to the HTTP_ST is mishandled in the "ssdpcgi()" function in "/htdocs/cgibin". A remote unauthenticated attacker can execute arbitrary OS commands on the target system via a urn: to the M-SEARCH method.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.
References
- http://packetstormsecurity.com/files/156054/D-Link-DIR-859-Unauthenticated-Remote-Command-Execution.html
- https://medium.com/@s1kr10s/d-link-dir-859-rce-unautenticated-cve-2019-17621-en-d94b47a15104
- https://medium.com/@s1kr10s/d-link-dir-859-rce-unautenticated-cve-2019-17621-es-fad716629ff9
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10146
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147
- https://www.dlink.com/en/security-bulletin
- https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf
- https://medium.com/@s1kr10s/d-link-dir-859-unauthenticated-information-disclosure-en-faf1a9a13f3f
- https://medium.com/@s1kr10s/d-link-dir-859-unauthenticated-information-disclosure-es-6540f7f55b03
- https://medium.com/@s1kr10s/d-link-dir-859-rce-unauthenticated-cve-2019-20216-cve-2019-20217-en-6bca043500ae
- https://medium.com/@s1kr10s/d-link-dir-859-rce-unauthenticated-cve-2019-20216-cve-2019-20217-es-e11ca6168d35
- https://medium.com/@s1kr10s/d-link-dir-859-unauthenticated-rce-in-ssdpcgi-http-st-cve-2019-20215-en-2e799acb8a73