CVE-2021-20134
Description
Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B02 are affected by an absolute path traversal vulnerability that allows a remote, authenticated attacker to set an arbitrary file on the router's filesystem as the log file used by either Quagga service (zebra or ripd). Subsequent log messages will be appended to the file, prefixed by a timestamp and some logging metadata. Remote code execution can be achieved by using this vulnerability to append to a shell script on the router's filesystem, and then awaiting or triggering the execution of that script. A remote, unauthenticated root shell can easily be obtained on the device in this fashion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Absolute path traversal in Quagga services on D-Link DIR-2640 allows authenticated remote attackers to append arbitrary content to any file, leading to remote code execution as root.
Vulnerability
The D-Link DIR-2640 router running firmware version 1.11B02 or earlier enables the Quagga network configuration services (zebra and ripd) by default. These services listen on TCP ports 2601 and 2602 respectively. An absolute path traversal vulnerability exists in the log file configuration functionality. An authenticated attacker with access to the Quagga command-line interface can set the log file path to an arbitrary location on the router's filesystem. Subsequent log messages from the Quagga service will be appended to that file, prefixed with a timestamp and logging metadata. This affects both zebra and ripd daemons, which run with root privileges. [1]
Exploitation
An attacker must first authenticate to the Quagga service. The service uses a default password that can be easily discovered (CVE-2021-20132), allowing an unauthenticated attacker to gain authenticated access. Once authenticated, the attacker enters configuration terminal mode and sets the log file path to a target file, such as a shell script that will be executed later (e.g., a cron job or startup script). The attacker then triggers log messages (e.g., by sending crafted network packets) that append content to the target file. By carefully crafting the log message content, the attacker can inject shell commands into the file. The attacker then awaits or triggers execution of the script, achieving remote code execution. [1]
Impact
Successful exploitation allows an attacker to append arbitrary content to any file on the filesystem, including shell scripts. Since the Quagga daemons run as root, the attacker can achieve remote code execution with root privileges. This can lead to full compromise of the router, including the ability to install persistent backdoors, exfiltrate data, or pivot to internal networks. The CVSSv3 base score is 8.4 (High) with a vector of AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. [1]
Mitigation
As of the publication date (2021-12-30), D-Link has not released a firmware update to address this vulnerability. The latest firmware version 1.11B02 is affected. Users are advised to disable the Quagga services if not needed, or restrict network access to the Quagga ports (2601, 2602) to trusted hosts only. Changing the default password for Quagga services can mitigate the authentication bypass (CVE-2021-20132) but does not fix the path traversal itself. No patch is currently available. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- D-Link/DIR-2640description
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing path validation in the Quagga CLI's log file configuration command allows an authenticated attacker to set the log file path to any file on the filesystem, enabling arbitrary file append."
Attack vector
An attacker must first authenticate to the Quagga CLI on TCP port 2601 (zebra) or 2602 (ripd). The advisory notes these services use a default password that can be easily discovered [ref_id=1]. Once authenticated, the attacker enters configuration terminal mode and sets the log file path to an arbitrary file on the filesystem (e.g., a shell script). The attacker then issues a `logmsg alerts` command, which appends a timestamped log line to the targeted file. By crafting the log message to contain shell commands, the attacker can inject arbitrary code into a script that will later be executed, achieving remote code execution as root [ref_id=1].
Affected code
The vulnerability exists in the Quagga services (zebra and ripd) running on the D-Link DIR-2640 router with firmware version 1.11B02 or earlier. The affected code paths are the configuration terminal commands that allow setting the log file path and issuing log messages via the `logmsg` command [ref_id=1].
What the fix does
The advisory states that D-Link provided patched firmware on October 17, 2021, but the specific patch details are not shown in the bundle [ref_id=1]. The advisory recommends that users disable the Quagga zebra and ripd services as a workaround, and notes that an intrepid user could craft a shell command to disable the services and use the file-append vulnerability to write that command to a script executed on reboot [ref_id=1]. No patch diff is available in the provided materials.
Preconditions
- authAttacker must authenticate to the Quagga CLI (zebra on TCP 2601 or ripd on TCP 2602) using the default password
- networkAttacker must have network access to the router's LAN-side ports (2601/2602)
- configThe target file must be writable and reside on a persistent filesystem for modifications to survive reboot
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2021-44mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.