Advisory for D-Link VPN Router Vulnerabilities

Summary:

DDI-VRT-2020-01 – D-Link VPN Routers Unauthenticated Remote Root Command Injection (CVE-2020-25757)

DDI-VRT-2020-02 – D-Link VPN Routers Authenticated Root Command Injection (CVE-2020-25759)

DDI-VRT-2020-03 – D-Link VPN Routers Authenticated Crontab Injection (CVE-2020-25758)

Details

Vulnerability:

D-Link Unauthenticated & Authenticated Command Injection Vulnerabilities

Impact:

Unauthenticated attackers could execute arbitrary commands with root privileges.

Application/Version Affected:

DSR-150, DSR-250, DSR-500, DSR-1000AC

Firmware versions v3.17 and earlier

Details:

D-Link VPN Routers using the Unified Services Router web interface exhibit multiple flaws which could allow a remote attacker to execute arbitrary commands with root privileges.

The first issue is accessible without authentication requiring only the web interface be available to execute arbitrary code via a lua library that passes user-supplied data to a call as part of a command to calculate a hash.

The second issue requires authentication and exploits the Package Management form in the web interface which lacks server-side filtering for multi-part POST payloads.

On the third issue, D-Link acknowledges as intended device functionality.