Multiple critical command injection vulnerabilities have been identified in the D-Link DSR VPN router family products. These vulnerabilities are identified with CVE-2020-25757, CVE-2020-25759, CVE-2020-25758 and can allow an attacker to gain complete root access to the affected device. These affected D-Link routers are commonly available on consumer websites, e-commerce sites, and retail outlets to be used by a large number of people. As more employees work-from-home due to the pandemic, the risk of connecting to corporate networks using these devices exists more. A person connecting to the corporate network while using affected devices exposes not only his own environment but also the corporate network.
- CVE-2020-25757: Unauthenticated Remote Root Command Injection
D-Link VPN routers allow various lua cgi actions like ‘/platform.cgi?action=duaAuth‘ and ‘/platform.cgi?action=duaLogout‘ without authentication. These actions execute a lua library function and pass the user-supplied data to a call to ‘os.popen‘ function. Any unauthenticated user can thus inject arbitrary commands via crafted requests, which will be executed with root privileges.
- CVE-2020-25759: Authenticated Root Command Injection
D-Link VPN routers include a ‘Package Management’ form in the ‘Unified Services Router’ web interface which forwards requests to the Lua CGI, but Lua CGI employs no mechanism for server-side filtering of the multi-part data it receives. The unfiltered data is thus passed on to ‘os.execute’ function allowing authenticated users to inject arbitrary commands via crafted requests, which will be executed with root privileges.
- CVE-2020-25758: Authenticated Crontab Injection
D-Link VPN routers allow authenticated users to download and upload the router configuration file which is in plain text. An authenticated user can upload a crafted configuration file with new CRON entries and thus inject arbitrary CRON entries in the configuration file, which then will be executed as arbitrary commands.
Following D-Link DSR Routers with firmware versions v3.17 & below are affected:
- D-Link DSR-150
- D-Link DSR-150N
- D-Link DSR-250
- D-Link DSR-250N
- D-Link DSR-500
- D-Link DSR-500N
- D-Link DSR-500AC
- D-Link DSR-1000
- D-Link DSR-1000N
- D-Link DSR-1000AC
More details on affected versions can be found here.
Impact of Command Injection Vulnerabilities
An attacker can run arbitrary commands with root privileges on the affected firmware.
D-link has currently provided beta firmware or hot-fix releases for only two out of the three reported vulnerabilities. The official firmware releases for these two vulnerabilities are expected to be available by mid-December. D-Link has advised users to apply the provided hotfix or beta updates until the official firmware is available.
D-Link has not issued a fix for the third reported ‘Authenticated Crontab Injection‘ vulnerability while mentioning it to be a low-threat existing due to intended device functionality. The vendor adds mitigating other vulnerabilities will make it difficult for an attacker to take advantage of this vulnerability.