CVE-2019-20217

Name of the Vulnerable Software and Affected Versions D-Link DIR-859 versions 1.05 through 1.06B01 Beta01

Description The issue exists due to the mishandling of the SERVER ID component in the D-Link DIR-859 router's firmware, allowing a remote attacker to execute arbitrary OS commands. This is achieved by exploiting the urn: service/device value checked with the strstr function, which enables an attacker to concatenate arbitrary commands separated by shell metacharacters. The exploitation occurs via the M-SEARCH method in ssdpcgi() in /htdocs/cgibin.

Recommendations For D-Link DIR-859 versions 1.05 through 1.06B01 Beta01, as a temporary workaround, consider disabling the ssdpcgi() function in /htdocs/cgibin until a patch is available. Restrict access to the /htdocs/cgibin directory to minimize the risk of exploitation. Avoid using the urn: service/device value in the M-SEARCH method until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.