CVE-2019-8318

Name of the Vulnerable Software and Affected Versions D-Link DIR-878 version 1.12A1

Description The issue is related to a Command Injection vulnerability in the SetSysEmailSettings API function, allowing a remote attacker to execute arbitrary code and gain a root shell. This occurs when the twsystem function is called with untrusted input from the request body, as demonstrated by shell metacharacters in the SMTPServerPort field. The vulnerability can be exploited via a crafted /HNAP1 POST request.

Recommendations For D-Link DIR-878 version 1.12A1, consider disabling the SetSysEmailSettings API function until a patch is available to prevent exploitation. Restrict access to the HNAP API to minimize the risk of arbitrary code execution. Avoid using the SMTPServerPort field in the SetSysEmailSettings API function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.