CVE-2022-43184

Vulnerability

The D-Link DIR878 router firmware version 1.30B08 Hotfix_04 contains a command injection vulnerability in the /bin/proc.cgi component. The CGI script passes user-supplied input to a system call without proper sanitization, allowing injection of arbitrary commands. The vulnerable code path involves storing user input in nvram and later retrieving it via /lib/librcm.so, which concatenates and executes it using twsystem. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the web server (typically at 192.168.0.1) with malicious command payloads in parameters processed by /bin/proc.cgi. No authentication is required as the service is exposed by default. [1]

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary commands on the device with root privileges, leading to full compromise of the router, including data exfiltration, malware installation, and network pivoting.

Mitigation

As of the publication date (2022-10-19), no official patch has been released by D-Link. The reference [2] points to D-Link's security bulletin page, but no specific advisory for this CVE is available. Users are advised to restrict access to the management interface or upgrade to a fixed version if one becomes available. The device may be approaching end-of-life status.