CVE-2020-15633

Name of the Vulnerable Software and Affected Versions D-Link DIR-867-US, DIR-878, DIR-882-US versions 1.20B10 BETA

Description The issue is related to the implementation of the HNAP protocol in the firmware of D-Link routers, which allows an attacker to bypass authentication procedures by utilizing an alternative path or channel when handling HTTP requests that include the string ?GetCAPTCHAsetting. This can enable a remote attacker to bypass security restrictions, escalate privileges, or execute arbitrary code. The flaw exists within the handling of HNAP requests due to incorrect string matching logic when accessing protected pages.

Recommendations For D-Link DIR-867-US, DIR-878, DIR-882-US version 1.20B10 BETA, consider disabling the handling of HNAP requests or restricting access to protected pages as a temporary workaround until a patch is available. Avoid using the ?GetCAPTCHAsetting string in HTTP requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.