PT-2019-3736 · D Link · Dir-823

Published

2019-08-23

Updated

2020-08-24

CVE-2019-15528

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions D-Link DIR-823G versions V1.0.2B05

Description The issue is related to the lack of input validation in the SetStaticRouteSettings field, allowing for command injection via shell metacharacters in the Interface field. This can be exploited by a remote attacker to impact the confidentiality, integrity, and availability of protected information by sending a request to the "HNAP1" endpoint.

Recommendations For version V1.0.2B05, consider restricting access to the "HNAP1" endpoint and the SetStaticRouteSettings field to minimize the risk of exploitation. As a temporary workaround, avoid using shell metacharacters in the Interface field until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Command Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-78

Related Identifiers

BDU:2019-03991

CVE-2019-15528

Affected Products

Dir-823

PT-2019-3736 · D Link · Dir-823

CVE-2019-15528

Weakness Enumeration

Related Identifiers

Affected Products

References · 5