CVE-2019-8313

Name of the Vulnerable Software and Affected Versions D-Link DIR-878 version 1.12A1

Description The issue is related to insufficient input validation in the SetIPv6FirewallSettings() API function, allowing a remote attacker to execute arbitrary code. This can be achieved through a Command Injection vulnerability, where an attacker can execute arbitrary OS commands via a crafted /HNAP1 POST request. Specifically, the vulnerability occurs when the twsystem function is called with untrusted input from the request body, such as shell metacharacters in the SrcIPv6AddressRangeStart field.

Recommendations For D-Link DIR-878 version 1.12A1, consider disabling the SetIPv6FirewallSettings() API function until a patch is available to prevent exploitation. Restrict access to the /HNAP1 API endpoint to minimize the risk of arbitrary code execution. Avoid using the SrcIPv6AddressRangeStart field in the affected API endpoint until the issue is resolved.