CVE-2023-34280

Name of the Vulnerable Software and Affected Versions D-Link DIR-2150 (affected versions not specified)

Description The issue is related to the SetSysEmailSettings function in the D-Link DIR-2150 router's software, which lacks proper input validation. This allows a remote attacker to execute arbitrary code using specially crafted data. The vulnerability exists within the SOAP API interface, which listens on TCP port 80 by default, and is caused by the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

Recommendations As a temporary workaround, consider disabling the SetSysEmailSettings function until a patch is available. Restrict access to the SOAP API interface, which listens on TCP port 80 by default, to minimize the risk of exploitation. Avoid using the EmailTo command in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.