CVE-2022-43632

Name of the Vulnerable Software and Affected Versions D-Link DIR-1935 version 1.03

Description The issue is related to the SetQoSSettings() function in the web management interface of D-Link DIR-1935 routers, which fails to properly clean input data in the user-supplied string when processing the QoSInfo element. This can be exploited by a remote attacker to execute arbitrary code, even though authentication is required, as the existing authentication mechanism can be bypassed. The vulnerability allows an attacker to execute code in the context of root by leveraging the improper validation of a user-supplied string used to execute a system call when parsing subelements within the QoSInfo element.

Recommendations For D-Link DIR-1935 version 1.03, as a temporary workaround, consider disabling the SetQoSSettings() function until a patch is available. Restrict access to the web management portal to minimize the risk of exploitation. Avoid using the QoSInfo element in the SetQoSSettings requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.