D-Link DIR-846W A1 FW100A43 - Remote Code Execution (RCE) via OS Command Injection Vulnerability (CVE-2024-44341)
Description
Background & Context
D-Link Systems, Inc. (formerly Datex Systems, Inc.) is a Taiwanese multinational manufacturer of networking hardware and telecoms equipment. The D-Link DIR-846 is a wireless IEEE 802.11ac compliant device that delivers up to 3x faster speeds than 802.11n while staying backward compatible with 802.11n/g/b/a devices. Powered by 802.11ac technology and equipped with four external antennas, this router provides wireless coverage for larger homes and offices, or for users running bandwidth-intensive applications. The DIR-846 also includes a 4-port 100/1000 Fast Ethernet switch that connects to wired devices for uninterrupted video calling and faster file transfers.
Vulnerability Summary
D-Link DIR-846W A1 FW100A43 was discovered to contain four critical vulnerabilities that can be exploited for command injection, due to missing or insufficient sanitisation of untrusted user input to HTTP URL parameters for the wireless GUI. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
The four linked vulnerabilities are:
CVE-2024-41622: improper sanitisation of the
tomography_ping_addressparameter in the/HNAP1/interface;CVE-2024-44340: improper sanitisation of the the
smartqos_express_devicesandsmartqos_normal_devicesparameters inSetSmartQoSSettings;CVE-2024-44341: improper sanitisation of the the
lan(0)_dhcps_staticlistparameter, exploitable through a crafted POST request; andCVE-2024-44342: improper sanitisation of the the
wl(0).(0)_ssidparameter.
Impact If Exploited
Successful exploit permits remote attackers to execute arbitrary (malicious) code on the target devices.
Threat Landscape & Known Exploitation
This vulnerability has not yet been reported by the CISA (America's Cyber Defense Agency) under its 'KEV' (known exploited vulnerabilities') catalogue process to be known to be currently actively exploited in the wild as of 2024-09-03. However, since the vendor is not patching these vulnerabilities then they effectively remain permanent '0-day' vulnerabilities, with no patches to be issued for the vulnerable devices. D-Link vulnerabilities have been commonly exploited in the past by malware botnets, such as Mirai and Moobot, to recruit devices into DDoS swarms. Threat actors have also recently exploited a similar flaw in the D-Link DIR-859 router flaw (CVE-2024-0769) to steal passwords and breach devices. The risk of active exploitation should be considered extremely high and prioritisation should be given to remediation in any impacted environment.
Affected Product Versions
DIR-846W (All Series H/W Revisions)
Indicators of Compromise (IoC)
The vendor has not published a list of indicators of compromise (IoC) at the time of writing.
Remediation
Official Fix & Remediation Guidance
D-Link is warning that the four remote code execution (RCE) flaws impacting all hardware and firmware versions of the DIR-846W router will not be fixed as the products are no longer supported. Though D-Link acknowledged the security problems and their severity, it noted that they fall under its standard end-of-life/end-of-support policies, meaning there will be no security updates to address them. D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it. D-Link recommends that people still using the DIR-846 retire it immediately and replace it with a currently supported model.
References
Vendor Advisories
Third-Party Analysis & Threat Intelligence
PoC and Exploit Code
Risk
Versions
Information
- Category
- Command Injection
- CWE
- CWE-78
- CVE
- Known Exploitation Activity
OWASP
- OWASP 2013
- A1 - Injection
- OWASP 2017
- A1 - Injection
- OWASP 2021
- A3 - Injection