Multiple critical vulnerabilities affect D-Link DIR-2150 router

by do son · September 15, 2022

Image: D-Link

An anonymous 3rd party working with Trend Micro Zero Day Initiative has discovered five critical vulnerabilities in routers from Taiwan-based networking equipment manufacturer D-Link which leave users open to cyber attacks.

The three vulnerabilities (CVE-2022-3210, CVE-2022-40719, CVE-2022-40720) are command injection bugs, while the other bugs (CVE-2022-40717, CVE-2022-40718) are stack-based buffer overflow issues. These five laws affect the D-Link (Non-US) DIR-2150 hardware revision R with firmware version v4.01 & below. Following successful exploitation, they can let attackers execute arbitrary code on unpatched routers.

Image: D-Link

D-Link has resolved the bugs found in firmware version 4.01 and has issued a firmware hotfix for all affected customers on June 24, 2022, available for download here.

Here’s the list of 5 vulnerabilities that affect D-Link (Non-US) DIR-2150:

CVE-2022-3210 (CVSS score: 8.8): Command Injection Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the xupnpd service, which listens on TCP port 4044 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-40717 (CVSS score: 8.8): Stack-based Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected D-Link DIR-2150 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the anweb service, which listens on TCP ports 80 and 443 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.
CVE-2022-40718 (CVSS score: 8.8): Stack-based Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected D-Link DIR-2150 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the anweb service, which listens on TCP ports 80 and 443 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.
CVE-2022-40719 (CVSS score: 8.8): Command Injection Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the xupnpd_generic.lua plugin for the xupnpd service, which listens on TCP port 4044 by default. When parsing the feed parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-40720 (CVSS score: 8.8): Command Injection Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Dreambox plugin for the xupnpd service, which listens on TCP port 4044 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the router.