CVE-2021-20133
Description
Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B02 are affected by an absolute path traversal vulnerability that allows a remote, authenticated attacker to set the "message of the day" banner to any file on the system, allowing them to read all or some of the contents of those files. Such sensitive information as hashed credentials, hardcoded plaintext passwords for other services, configuration files, and private keys can be disclosed in this fashion. Improper handling of filenames that identify virtual resources, such as "/dev/urandom" allows an attacker to effect a denial of service attack against the command line interfaces of the Quagga services (zebra and ripd).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Absolute path traversal in Quagga services on D-Link DIR-2640 allows authenticated remote attacker to read arbitrary files and cause denial of service.
Vulnerability
An absolute path traversal vulnerability exists in the Quagga services (zebra and ripd) on D-Link DIR-2640 routers running firmware version 1.11B02 or earlier. The message of the day banner configuration option accepts an arbitrary file path without proper validation, allowing an authenticated attacker to read any file on the system. The services listen on TCP ports 2601 and 2602 and run with root privileges. Authentication to the Quagga CLI is required, but a default password is used (see CVE-2021-20132) [1].
Exploitation
An attacker who can reach the Quagga services (typically on the local network) authenticates using the default password, enters configuration terminal mode, and sets the banner motd to the path of a target file (e.g., /etc/passwd). Upon reconnecting to the service, the file contents are displayed as the banner. For denial of service, the attacker sets the banner to a special device file such as /dev/urandom, causing the CLI to become unresponsive due to an infinite stream of random data [1].
Impact
Successful exploitation allows an authenticated attacker to read sensitive files including hashed credentials, hardcoded plaintext passwords, configuration files, and private keys. The attacker can also cause a denial of service against the Quagga CLI interfaces (zebra and ripd), disrupting network configuration management. No file write or remote code execution is achieved through this vulnerability alone [1].
Mitigation
As of the publication date (2021-12-30), no firmware update is available to address this vulnerability. Users should disable the Quagga services if not required, or restrict network access to ports 2601 and 2602 to trusted hosts only. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- D-Link/DIR-2640description
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1- www.tenable.com/security/research/tra-2021-44mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.