CVE-2019-17509

Name of the Vulnerable Software and Affected Versions D-Link DIR-846 version 100A35

Description The issue is related to insufficient argument checking in the SetMasterWLanSettings function of the D-Link DIR-846 firmware, allowing remote attackers to execute arbitrary OS commands as root. This can be achieved by sending a specially crafted /HNAP1/ request for SetMasterWLanSettings with shell metacharacters to the /squashfs-root/www/HNAP1/control/SetMasterWLanSettings.php script.

Recommendations For version 100A35, update the firmware to a version that addresses the issue with the SetMasterWLanSettings function, ensuring proper argument checking to prevent arbitrary command execution. As a temporary workaround, consider restricting access to the /squashfs-root/www/HNAP1/control/SetMasterWLanSettings.php script to minimize the risk of exploitation.