CVE-2021-20133

Name of the Vulnerable Software and Affected Versions: D-Link DIR-2640 versions less than or equal to 1.11B02

Description: The issue allows a remote, authenticated attacker to set the "message of the day" banner to any file on the system, enabling them to read all or some of the contents of those files. This can lead to the disclosure of sensitive information, including hashed credentials, hardcoded plaintext passwords for other services, configuration files, and private keys. Additionally, improper handling of filenames that identify virtual resources, such as "/dev/urandom", can allow an attacker to effect a denial of service attack against the command line interfaces of the Quagga services (zebra and ripd).

Recommendations: For D-Link DIR-2640 versions less than or equal to 1.11B02, consider restricting access to the Quagga services until a patch is available. As a temporary workaround, consider disabling the setting of the "message of the day" banner to prevent an attacker from reading sensitive files. Restrict access to virtual resources, such as "/dev/urandom", to minimize the risk of a denial of service attack against the command line interfaces of the Quagga services.