DLink DIR-859 1.05 & 1.06B01 Multiple Vulnerabilities (RCE)

critical Nessus Plugin ID 187210

Synopsis

A web application is affected by multiple remote code execution vulnerabilities.

Description

The version of DLink installed on the remote host is prior to 1.07b03. It is, therefore, affected by multiple remote code execution vulnerabilities as referenced in the vendor advisory.

- The UPnP endpoint URL /gena.cgi in the D-Link DIR-859 Wi-Fi router 1.05 and 1.06B01 Beta01 allows an Unauthenticated remote attacker to execute system commands as root, by sending a specially crafted HTTP SUBSCRIBE request to the UPnP service when connecting to the local network. (CVE-2019-17621)
- D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via a urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because HTTP_ST is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters. (CVE-2019-20215)

- D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because REMOTE_PORT is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker to concatenate arbitrary commands separated by shell metacharacters. (CVE-2019-20216)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to version 1.07b03 or later.

See Also

http://www.nessus.org/u?a0583e6e

http://www.nessus.org/u?ec7efd10

Plugin Details

Severity: Critical

ID: 187210

File Name: dlink_dir-859_1.07b03.nasl

Version: 1.1

Type: remote

Family: Web Servers

Published: 12/22/2023

Updated: 12/22/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-20217

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/h:dlink:dir

Required KB Items: installed_sw/DLink DIR

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/14/2020

Vulnerability Publication Date: 1/2/2020

CISA Known Exploited Vulnerability Due Dates: 7/20/2023

Exploitable With

Metasploit (D-Link Unauthenticated Remote Command Execution using UPnP via a special crafted M-SEARCH packet.)

Reference Information

CVE: CVE-2019-17621, CVE-2019-20215, CVE-2019-20216, CVE-2019-20217