CVE-2019-20213

Vulnerability

An unauthenticated information disclosure vulnerability exists in D-Link DIR-859 routers running firmware versions before v1.07b03_beta. By sending a request with the parameter AUTHORIZED_GROUP=1%0a to the vpnconfig.php script, an attacker can retrieve sensitive VPN configuration data without any authentication. The vulnerability affects the DIR-859 Rev. Ax device firmware v1.06b01_Beta01 and older [1][2].

Exploitation

An attacker needs only LAN-side (in-home) network access to the affected device. No authentication or user interaction is required. The exploit is performed by sending a crafted HTTP request to the router's administrative web interface containing AUTHORIZED_GROUP=1%0a as a parameter, which bypasses authorization checks and causes the device to return VPN configuration details [1][2].

Impact

Successful exploitation results in unauthorized disclosure of sensitive VPN configuration information. This could include credentials, network topology details, or other private data used for VPN connectivity. The impact is limited to information disclosure; the attacker does not gain code execution or direct control over the device from this specific vulnerability [1][2].

Mitigation

D-Link has released firmware version v1.07b03_beta to address this vulnerability. Users should update their DIR-859 routers to this version or later. No workaround is available if patching is not possible. D-Link notes that many affected models have reached End of Support/EOL, so upgrades may be necessary. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1][2].