CVE-2018-19300

Name of the Vulnerable Software and Affected Versions D-Link DAP-1530 version 1.06b01 and earlier D-Link DAP-1610 version 1.06b01 and earlier D-Link DWR-111 version 1.02v02 and earlier D-Link DWR-116 version 1.06b03 and earlier D-Link DWR-512 version 2.02b01 and earlier D-Link DWR-711 versions prior to 1.11 D-Link DWR-712 version 2.04b01 and earlier D-Link DWR-921 version 1.02b01 and earlier D-Link DWR-921 version 2.03b01 and earlier

Description The issue exists due to insufficient input validation in the EXCU SHELL component of D-Link router firmware. By sending a GET request with specially crafted headers to the "/EXCU SHELL" URI, an attacker could execute arbitrary shell commands in the root context on the affected device. This could allow a remote attacker to execute commands on the vulnerable device as the root user.

Recommendations For D-Link DAP-1530, update to firmware version 1.06b01 or later. For D-Link DAP-1610, update to firmware version 1.06b01 or later. For D-Link DWR-111, update to firmware version 1.02v02 or later. For D-Link DWR-116, update to firmware version 1.06b03 or later. For D-Link DWR-512, update to firmware version 2.02b01 or later. For D-Link DWR-711, update to a version later than 1.11. For D-Link DWR-712, update to firmware version 2.04b01 or later. For D-Link DWR-921 (A1), update to firmware version 1.02b01 or later. For D-Link DWR-921 (B1), update to firmware version 2.03b01 or later. As a temporary workaround, consider restricting access to the /EXCU SHELL URI until a patch is available.