CVE-2021-34201

Vulnerability

D-Link DIR-2640-US router firmware version 1.01B04 contains multiple out-of-bounds write vulnerabilities in the nl_server process. The software does not validate the length of the -s parameter, leading to a buffer overflow when an overly long string is supplied. This allows overwriting global variables in the .bss section, causing the process to crash or behave unexpectedly. The affected product is the D-Link AC2600 (DIR-2640) router running firmware 1.01B04 [1].

Exploitation

An attacker must have local (non-administrative) shell access to the router. The nl_server binary is world-executable (-rwxr-xr-x). Exploitation involves running nl_server with an excessively long -s argument, as demonstrated by a Proof of Concept (PoC) using a string of 'a' characters followed by 'b's [1]. The attacker does not require elevated privileges or user interaction.

Impact

Successful exploitation can cause the nl_server process to crash, resulting in a denial of service, or potentially alter global variables in memory, leading to arbitrary modifications of process behavior. The CVSS score is 7.1 (High) with impact on integrity and availability, but not confidentiality [1].

Mitigation

D-Link has released a firmware update to address this vulnerability. The fixed version is DIR-2640_REVA_FIRMWARE_v1.11B02_BETA01_HOTFIX, available from the D-Link support website [1]. Users should upgrade to this version or later. No workaround is available if the patch is not applied.