Security researchers Miguel Méndez Zúñiga and Pablo Pollanco from Telefónica Chile recently published Proof-of-concept (PoC) exploits for remote command execution and information disclosure vulnerabilities affecting many D-Link routers.
The security duo published on Medium the technical details of the vulnerabilities in two posts along with PoC videos for their exploitation.
One of the flaws is a remote command execution flaw, tracked as CVE-2019-17621, that resides in the code used to manage UPnP requests. The vulnerability could be exploited by an
“The remote code execution vulnerability was found in the code used to manage UPnP requests.” reads the post published by the experts.
The experts published the analysis and the Metasploit exploit code on GitHub (Router D-LINK RCE).
“The original security vulnerability, filed under CVE-2019-17621 and CVE-2019-20213 with D-Link original response found here, allowed a malicious user an
“In order for this security exploit to be done a malicious user would have to get access to the LAN-side or in-home access to the device which narrows the risk of an attack considerably.
D-Link, was informed about the flaw by a third-party company in mid-October, but its initial security advisory only identified the DIR-859 router family as being vulnerable. Later, the vendor updated the advisory and included tens of D-Link DIR models in the list of
The other vulnerability is an information disclosure issue that could be exploited by an attacker to obtain a device’s VPN configuration file, potentially exposing sensitive information.
“Due to a mistake in the processing of the request body, it is possible to bypass the authentication required by the device when accessing certain PHP files, by sending a specially crafted HTTP request”
The advisory published by the vendor is available here.
D-Link has already released firmware updates that should address the vulnerabilities for some of the impacted devices and should soon release the fixes for the remaining ones. Some of the vulnerable models that have reached end of life will not receive patches.