Critical Command Injection Vulnerabilities in D-Link DSR VPN Routers

Multiple critical command injection vulnerabilities have identified in the D-Link DSR VPN router family products. These vulnerabilities are identified with CVE-2020-25757, CVE-2020-25759, CVE-2020-25758 and can allow an attacker to gain complete root access to the affected device. Vulnerability management software can detect and mitigate vulnerabilities. These affected D-Link routers are commonly available on consumer websites, e-commerce sites, and retail outlets uses a large number of people. As more employees work-from-home due to the pandemic, the risk of connecting to corporate networks using these devices exists more. A person connecting to the corporate network while using affected devices exposes not only his own environment but also the corporate network.

• CVE-2020-25757: Unauthenticated Remote Root Command Injection 

D-Link VPN routers allow various lua cgi actions like ‘/platform.cgi?action=duaAuth‘ and ‘/platform.cgi?action=duaLogout‘ without authentication. These actions execute a lua library function and pass the user-supplied data to a call to ‘os.popen‘ function. Any unauthenticated user can thus inject arbitrary commands via crafted requests, which executes with root privileges. A vulnerability management tool can avoid this.

• CVE-2020-25759: Authenticated Root Command Injection

D-Link VPN routers include a ‘Package Management’ form in the ‘Unified Services Router’  web interface which forwards requests to the Lua CGI, but Lua CGI employs no mechanism for server-side filtering of the multi-part data it receives. The unfiltered data is thus passed on to ‘os.execute’ function allowing authenticated users to inject arbitrary commands via crafted requests, which will execute with root privileges.

• CVE-2020-25758: Authenticated Crontab Injection

D-Link VPN routers allow authenticated users to download and upload the router configuration file which is in plain text. An authenticated user can upload a crafted configuration file with new CRON entries and thus inject arbitrary CRON entries in the configuration file, which then executes as arbitrary commands.

Affects the following D-Link DSR Routers with firmware versions v3.17 & below:

• D-Link DSR-150
• D-Link DSR-150N
• D-Link DSR-250
• D-Link DSR-250N
• D-Link DSR-500
• D-Link DSR-500N
• D-Link DSR-500AC
• D-Link DSR-1000
• D-Link DSR-1000N
• D-Link DSR-1000AC

More details on affected versions can be found here.

An attacker can run arbitrary commands with root privileges on the affected firmware.

D-link has currently provided beta firmware or hot-fix releases for only two out of the three reported vulnerabilities. The official firmware releases for these two vulnerabilities expected to be available by mid-December. D-Link has advised users to apply the provided hotfix or beta updates until the official firmware is available.

D-Link has not issued a fix for the third reported ‘Authenticated Crontab Injection‘ vulnerability while mentioning it to be a low-threat existing due to intended device functionality. The vendor adds mitigating other vulnerabilities will make it difficult for an attacker to take advantage of this vulnerability.