CVE-2018-17063

Name of the Vulnerable Software and Affected Versions D-Link DIR-816 A2 version 1.10 B05

Description An issue exists in the handler function of the "/goform/NTPSyncWithHost" route, where an HTTP request parameter is used in command string construction. This could lead to command injection via shell metacharacters. The vulnerability in the NTPSyncWithHost function of the D-Link DIR-816 A2 router's firmware exists due to the lack of measures to neutralize special elements used in the operating system command. Exploitation of the vulnerability may allow a remote attacker to execute arbitrary commands through shell metacharacters.

Recommendations For D-Link DIR-816 A2 version 1.10 B05, as a temporary workaround, consider disabling the "/goform/NTPSyncWithHost" route until a patch is available. Restrict access to this route to minimize the risk of exploitation. Avoid using parameters that could be used for command injection in the affected route until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.