Remote code execution in multiple D-Link routers

1) Stack-based buffer overflow

EUVDB-ID: #VU67536

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-41140

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the lighttpd service when handling HTTP requests. A remote unauthenticated attacker can send a specially crafted HTTP request to port 80/tcp on the affected device, trigger a stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Model	Hardware Revision	Affected FW	Fixed FW	Recommendation	Last Updated
DIR-867	All Ax Hardware Revisions	v1.30B07 & Below	Under Development	Pending Release	03/04/2022
DIR-878	All Ax Hardware Revisions	v1.30B08-Hotfix & Below	v1.30b08_Beta_Hotfix	Upgrade to Beta Hotfix	04/01/2022
DIR-882-US	All Ax Hardware Revisions	v1.30B06-Hotfix & Below	Under Development	Pending Release	03/04/2022

Vulnerable software versions

DIR-878: 1.30B08-Hotfix - v1.30b10Beta

DIR-882-US: 1.30B06-Hotfix - v1.30b10Beta

DIR-867: 1.30B07

External links

http://www.zerodayinitiative.com/advisories/ZDI-22-1290/
http://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10291

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.