CVE-2018-5371

Name of the Vulnerable Software and Affected Versions D-Link DSL-2640U versions IM 1.00 and ME 1.00 D-Link DSL-2540U version ME 1.00

Description The issue allows authenticated remote attackers to execute arbitrary OS commands via shell metacharacters in the ipaddr field of an HTTP GET request. This is due to the lack of measures to neutralize special elements used in the operating system command.

Recommendations For D-Link DSL-2640U devices with firmware IM 1.00 and ME 1.00, consider restricting access to the diag ping.cmd until a patch is available. For D-Link DSL-2540U devices with firmware ME 1.00, avoid using the ipaddr field in the affected HTTP GET request until the issue is resolved. As a temporary workaround, consider disabling the execution of arbitrary OS commands via shell metacharacters in the ipaddr field until a patch is available.