CVE-2018-19987

Name of the Vulnerable Software and Affected Versions D-Link DIR-822 versions Rev.B 202KRb06 through Rev.C 3.10B06 D-Link DIR-860L version Rev.B 2.03.B03 D-Link DIR-868L version Rev.B 2.05B02 D-Link DIR-880L version Rev.A 1.20B01 01 i3se BETA D-Link DIR-890L version Rev.A 1.21B02 BETA

Description The issue arises from the mishandling of the IsAccessPoint parameter in the /HNAP1/SetAccessPointMode endpoint. Specifically, the SetAccessPointMode.php source code saves this parameter in the ShellPath script file without any regex checking, leading to command injection when the script file is executed. An attacker could exploit this by sending a vulnerable /HNAP1/SetAccessPointMode XML message containing shell metacharacters in the IsAccessPoint element, such as the telnetd string.

Recommendations For D-Link DIR-822 Rev.B 202KRb06 through Rev.C 3.10B06, consider disabling the SetAccessPointMode.php function until a patch is available. For D-Link DIR-860L Rev.B 2.03.B03, restrict access to the /HNAP1/SetAccessPointMode endpoint to minimize the risk of exploitation. For D-Link DIR-868L Rev.B 2.05B02, avoid using the IsAccessPoint parameter in the /HNAP1/SetAccessPointMode endpoint until the issue is resolved. For D-Link DIR-880L Rev.A 1.20B01 01 i3se BETA and D-Link DIR-890L Rev.A 1.21B02 BETA, as a temporary workaround, consider disabling the telnetd string execution in the ShellPath script file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.