CVE-2018-10823

Name of the Vulnerable Software and Affected Versions D-Link DWR-116 versions 1.06 and earlier D-Link DWR-512 versions 2.02 and earlier D-Link DWR-712 versions 2.02 and earlier D-Link DWR-912 versions 2.02 and earlier D-Link DWR-921 versions 2.02 and earlier D-Link DWR-111 versions 1.01 and earlier

Description The issue is related to insufficient neutralization of special elements used in an OS command in the web interface of D-Link router firmware. This can be exploited by a remote attacker to execute arbitrary code by injecting a shell command into the sip parameter when requesting the "chkisg.htm" page. This allows for full control over the device internals.

Recommendations For D-Link DWR-116 versions 1.06 and earlier, update to a version later than 1.06 to resolve the issue. For D-Link DWR-512 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-712 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-912 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-921 versions 2.02 and earlier, update to a version later than 2.02 to resolve the issue. For D-Link DWR-111 versions 1.01 and earlier, update to a version later than 1.01 to resolve the issue. As a temporary workaround, consider restricting access to the "chkisg.htm" page to minimize the risk of exploitation. Avoid using the sip parameter in the affected API endpoint until the issue is resolved.