CVE-2022-41140: Unauthenticated RCE bug affects multiple D-Link routers

A critical buffer overflow & remote code execution (RCE) vulnerability affected several D-Link routers that were unpatched.

Tracked as CVE-2022-41140 and featuring a CVSS score of 8.8, the vulnerability was found in DIR-867, DIR-878, and DIR-882-US routers, all of which are supported, but only the DIR-878 model received a patch.

The issue can be triggered without authentication by sending specially crafted input to the lighttpd service, to trigger a command injection. The lighttpd service listens on TCP port 80 by default. An attacker able to trigger the vulnerability could achieve full system compromise.

“A stack-based buffer overflow in the prog.cgi binary in D-Link DIR-867. A crafted HTTP request can cause the program to use `strcat()` to create a overly long string on a 512-byte stack buffer,” read the advisory.

The CVE-2022-41140 results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

Discovered by an anonymous researcher working with Trend Micro Zero Day Initiative, the security flaw was reported to D-Link in February. D-Link has already confirmed the existence of this vulnerability and the fact that the first Beta Hotfix patch for the DIR-878 model was released. D-Link says that the fixed firmware for DIR-867, and DIR-882-US is developing. A firmware update will be provided as soon as it becomes available via support.dlink.com.

Affected Models

Customers of D-Link appliances are highly recommended to apply patches and upgrades released by the company to mitigate potential threats.