CVE-2019-20216

Name of the Vulnerable Software and Affected Versions D-Link DIR-859 versions 1.05 through 1.06B01 Beta01

Description The issue exists due to the mishandling of the REMOTE PORT component in the D-Link DIR-859 router's firmware, allowing an attacker to execute arbitrary OS commands. This can be achieved by sending a request to the /htdocs/cgibin endpoint using the M-SEARCH method with a specially crafted urn: value. The strstr function is used to check the value of urn: service/device, which enables an attacker to concatenate arbitrary commands separated by shell metacharacters.

Recommendations For D-Link DIR-859 versions 1.05 through 1.06B01 Beta01, consider disabling the ssdpcgi() function in /htdocs/cgibin as a temporary workaround until a patch is available. Restrict access to the /htdocs/cgibin endpoint to minimize the risk of exploitation. Avoid using the urn: service/device value in the M-SEARCH method until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.