CVE-2014-100005

Name of the Vulnerable Software and Affected Versions D-Link DIR-600 router versions prior to 2.17b02

Description The issue concerns a cross-site request forgery (CSRF) vulnerability. This vulnerability allows remote attackers to hijack the authentication of administrators for various requests, including creating an administrator account, enabling remote management via a crafted configuration module to "hedwig.cgi", activating new configuration settings via a SETCFG,SAVE,ACTIVATE action to "pigwidgeon.cgi", or sending a ping via a ping action to "diagnostic.php".

Recommendations For D-Link DIR-600 router versions prior to 2.17b02, update the firmware to version 2.17b02 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "hedwig.cgi", "pigwidgeon.cgi", and "diagnostic.php", until a patch is available. Avoid using the vulnerable configuration module and actions, such as SETCFG,SAVE,ACTIVATE and ping, in the affected API endpoints until the issue is resolved.