{"vuid":"VU#766427","idnumber":"766427","name":"Multiple D-Link routers vulnerable to remote command execution","keywords":["ping_test","apply_sec.cgi","ssi"],"overview":"Multiple D-Link routers are vulnerable to unauthenticated remote command execution.","clean_desc":"Several D-Link routers contain CGI capability that is exposed to users as/apply_sec.cgi,and dispatched on the device by the binary/www/cgi/ssi. This CGI code contains two flaws: The/apply_sec.cgi code is exposed to unauthenticated users. The ping_ipaddr argument of the ping_test action fails to properly handle newline characters. Any arguments after a newline character sent as ping_ipaddr in a POST to/apply_sec.cgi are executed on the device with root privileges. The following devices are reported to be vulnerable: DIR-655 DIR-866L DIR-652 DHP-1565 DIR-855L DAP-1533 DIR-862L DIR-615 DIR-835 DIR-825 We have made a proof-of-concept exploit available,which will disable network connectivity for one minute on affected devices.","impact":"By performing an HTTP POST request to a vulnerable router's /apply_sec.cgi page, a remote, unauthenticated attacker may be able to execute commands with root privileges on an affected device. This action can happen as the result of viewing a specially-crafted web page.","resolution":"The CERT/CC is currently unaware of a practical solution to this problem. The devices listed above are no longer supported by D-Link.","workarounds":"Replace affected devices Because D-Link is not providing updates to the devices listed above, it is important to replace any affected device with one that is currently supported by the vendor.","sysaffected":"","thanks":"This vulnerability was coordinated and publicly disclosed by Fortinet's FortiGuard Labs.","author":"This document was written by Will Dormann.","public":["https://www.fortinet.com/blog/threat-research/d-link-routers-found-vulnerable-rce.html","https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3","https://tools.ietf.org/html/rfc3875"],"cveids":["CVE-2019-16920"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2019-10-09T15:40:53Z","publicdate":"2019-10-03T00:00:00Z","datefirstpublished":"2019-10-23T18:02:49Z","dateupdated":"2019-10-25T11:45:42Z","revision":13,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"4","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"10","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","cvss_temporalscore":"9","cvss_environmentalscore":"6.746283936","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}