CVE-2022-28571

Vulnerability

The D-Link DIR-882 A1 Wi-Fi router running firmware version DIR882A1_FW130B06 contains a command injection vulnerability in the /usr/bin/cli binary [1]. The router allows starting telnet without authentication, after which a constrained shell is accessible. Within this constrained shell, the /usr/bin/cli binary does not properly sanitize user input, enabling an attacker to inject arbitrary commands by appending malicious payloads such as ; ps to legitimate commands like ping [1].

Exploitation

An attacker needs network access to the router and must first enable telnet (which can be done without authentication) [1]. Once telnet is enabled, the attacker can log in using the default credentials admin with password admin@twsz2018 [1]. After logging in, the constrained shell is presented; the attacker then executes a command via /usr/bin/cli that includes a command injection payload (e.g., ping 1.1.1.1 & ps) to execute arbitrary system commands [1]. No additional privileges or user interaction beyond network access and default credentials are required.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the router with root privileges, leading to full compromise of the device. This includes the ability to read sensitive information, modify device configuration, and potentially pivot to other devices on the network [1].

Mitigation

D-Link has not released a fixed firmware version for the DIR-882 A1 as of the publication date (2022-05-02) [1][2]. D-Link's security bulletin page [2] does not list this specific vulnerability, and the vendor may not provide a patch as the device may be end-of-life or end-of-support. Users should consider isolating the router from untrusted networks and disabling telnet access if possible [1]. No workaround is provided by the vendor.