CVE-2021-20134

Name of the Vulnerable Software and Affected Versions: D-Link DIR-2640 versions less than or equal to 1.11B02

Description: The issue allows a remote, authenticated attacker to exploit an absolute path traversal vulnerability in Quagga Services. This enables the attacker to set an arbitrary file on the router's filesystem as the log file used by Quagga services, such as zebra or ripd. By appending log messages to a shell script on the router's filesystem, an attacker can achieve remote code execution. This can be leveraged to obtain a remote, unauthenticated root shell on the device.

Recommendations: For D-Link DIR-2640 versions less than or equal to 1.11B02, as a temporary workaround, consider restricting access to the Quagga Services until a patch is available. Avoid using the vulnerable Quagga services to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.