CVE-2019-8317

Name of the Vulnerable Software and Affected Versions D-Link DIR-878 version 1.12A1

Description An issue allows a remote attacker to execute arbitrary code and get a root shell through a Command Injection vulnerability. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetStaticRouteIPv6Settings API function, as demonstrated by shell metacharacters in the DestNetwork field. The vulnerability is related to insufficient input validation in the SetStaticRouteIPv6Settings function.

Recommendations For D-Link DIR-878 version 1.12A1, as a temporary workaround, consider disabling the SetStaticRouteIPv6Settings function until a patch is available. Restrict access to the /HNAP1 POST request to minimize the risk of exploitation. Avoid using the DestNetwork field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.