Multiple critical command injection vulnerabilities have identified in the D-Link DSR VPN router family products. These vulnerabilities are identified with CVE-2020-25757, CVE-2020-25759, CVE-2020-25758 and can allow an attacker to gain complete root access to the affected device. Vulnerability management software can detect and mitigate vulnerabilities. These affected D-Link routers are commonly available on consumer websites, e-commerce sites, and retail outlets uses a large number of people. As more employees work-from-home due to the pandemic, the risk of connecting to corporate networks using these devices exists more. A person connecting to the corporate network while using affected devices exposes not only his own environment but also the corporate network.
Details
- CVE-2020-25757: Unauthenticated Remote Root Command Injection
D-Link VPN routers allow various lua cgi actions like ‘/platform.cgi?action=duaAuth‘ and ‘/platform.cgi?action=duaLogout‘ without authentication. These actions execute a lua library function and pass the user-supplied data to a call to ‘os.popen‘ function. Any unauthenticated user can thus inject arbitrary commands via crafted requests, which executes with root privileges. A vulnerability management tool can avoid this.
- CVE-2020-25759: Authenticated Root Command Injection
D-Link VPN routers include a ‘Package Management’ form in the ‘Unified Services Router’ web interface which forwards requests to the Lua CGI, but Lua CGI employs no mechanism for server-side filtering of the multi-part data it receives. The unfiltered data is thus passed on to ‘os.execute’ function allowing authenticated users to inject arbitrary commands via crafted requests, which will execute with root privileges.
- CVE-2020-25758: Authenticated Crontab Injection
D-Link VPN routers allow authenticated users to download and upload the router configuration file which is in plain text. An authenticated user can upload a crafted configuration file with new CRON entries and thus inject arbitrary CRON entries in the configuration file, which then executes as arbitrary commands.
Affected
Affects the following D-Link DSR Routers with firmware versions v3.17 & below:
-
- D-Link DSR-150
- D-Link DSR-150N
- D-Link DSR-250
- D-Link DSR-250N
- D-Link DSR-500
- D-Link DSR-500N
- D-Link DSR-500AC
- D-Link DSR-1000
- D-Link DSR-1000N
- D-Link DSR-1000AC
More details on affected versions can be found here.
Impact of Command Injection Vulnerabilities
An attacker can run arbitrary commands with root privileges on the affected firmware.
Solution
D-link has currently provided beta firmware or hot-fix releases for only two out of the three reported vulnerabilities. The official firmware releases for these two vulnerabilities expected to be available by mid-December. D-Link has advised users to apply the provided hotfix or beta updates until the official firmware is available.
D-Link has not issued a fix for the third reported ‘Authenticated Crontab Injection‘ vulnerability while mentioning it to be a low-threat existing due to intended device functionality. The vendor adds mitigating other vulnerabilities will make it difficult for an attacker to take advantage of this vulnerability.