CVE-2021-44880

Vulnerability

A command injection vulnerability exists in the system function of D-Link DIR-878 firmware version v1.30B08_Hotfix_02 and DIR-882 firmware version v1.30B06_Hotfix_02 (both hardware revision Ax). The vulnerability is triggered by sending a specially crafted HNAP1 POST request to the device's management interface. The system function does not properly sanitize user-supplied input, allowing injection of arbitrary operating system commands. [1][2]

Exploitation

An attacker must be on the local network (LAN-side) and able to send HTTP requests to the router's web management interface. No authentication is required to exploit this vulnerability. By crafting a malicious HNAP1 POST request containing command injection payloads in the appropriate parameter, the attacker can execute arbitrary commands on the underlying operating system. [1][2]

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary commands with root privileges on the affected router. This can lead to full compromise of the device, including data exfiltration, installation of malware, or use of the router as a pivot point for further network attacks. [1][2]

Mitigation

D-Link has released fixed firmware versions: for DIR-882, version v1.30B06_Hotfix_03 Beta is available as of February 15, 2022 [2]. For DIR-878, the advisory [1] does not explicitly list a fixed version but recommends updating to the latest firmware available on the support page. Users should apply the latest firmware updates from D-Link's support site. No workarounds are provided. [1][2]