CVE-2019-8319

Name of the Vulnerable Software and Affected Versions D-Link DIR-878 version 1.12A1

Description The issue is related to a Command Injection vulnerability in the SetStaticRouteIPv4Settings API function, allowing a remote attacker to execute arbitrary code and gain a root shell. This occurs when the HNAP API function triggers a call to the system function with untrusted input from the request body, as demonstrated by shell metacharacters in the Gateway field. The vulnerability can be exploited via a crafted /HNAP1 POST request.

Recommendations For D-Link DIR-878 version 1.12A1, consider disabling the SetStaticRouteIPv4Settings function until a patch is available to prevent exploitation. Restrict access to the /HNAP1 API endpoint to minimize the risk of arbitrary code execution. Avoid using shell metacharacters in the Gateway field to prevent command injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.