SB2019020406 - Multiple vulnerabilities in D-Link DIR-823G
Published: February 4, 2019 Updated: February 19, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) OS Command Injection (CVE-ID: CVE-2019-7298)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote unauthenticated attacker can execute arbitrary OS commands via a specially crafted /HNAP1 request when any HNAP API function triggers a call to the system function with untrusted input from the request body, such as a body of ' /bin/telnetd' for the GetDeviceSettingsset API function.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) OS Command Injection (CVE-ID: CVE-2019-7297)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote unauthenticated attacker can execute arbitrary OS commands via shell metacharacters in a crafted /HNAP1 request when the GetNetworkTomographyResult function calls the system function with an untrusted input parameter named Address.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Improper access control (CVE-ID: CVE-2019-7390)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists in /bin/goahead due to incorrect access control. A remote unauthenticated attacker can hijack the DNS service configuration of all clients in the WLAN, without authentication, via the SetWanSettings HNAP API.
4) Improper access control (CVE-ID: CVE-2019-7389)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists in /bin/goahead due to incorrect access control. A remote unauthenticated attacker can reset the router without authentication via the SetFactoryDefault HNAP API without authentication.
5) Information disclosure (CVE-ID: CVE-2019-7388)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists in /bin/goahead due to incorrect access control. A remote unauthenticated attacker can get sensitive information (such as MAC address) about all clients in the WLAN via the GetClientInfo HNAP API without authentication.
6) Security restrictions bypass (CVE-ID: CVE-2019-8392)
The vulnerability allows a remote attacker to bypass security restrictions on the system.
The vulnerability exists due to incorrect access control in the SetWLanRadioSettings HNAP API. A remote attacker can send a specially-crafted request and bypass security restrictions to enable Guest Wi-Fi.
Remediation
Install update from vendor's website.
References
- https://github.com/leonW7/D-Link/blob/master/Vul_2.md
- https://github.com/leonW7/D-Link/blob/master/Vul_1.md
- https://github.com/leonW7/D-Link/blob/master/Vul_5.md
- https://github.com/leonW7/D-Link/blob/master/Vul_4.md
- https://github.com/leonW7/D-Link/blob/master/Vul_3.md
- https://github.com/leonW7/D-Link/blob/master/Vul_6.md