CVE-2022-43619

Vulnerability

This vulnerability resides in the ConfigFileUpload handler of the D-Link DIR-1935 router's web management portal, specifically in firmware version DIR1935A1_FW1.03B02 (as tested by ZDI) [1][2]. The flaw is a format string vulnerability where the application fails to properly validate a user-supplied string before using it as a printf-style format specifier [2]. Although authentication is required to reach the vulnerable endpoint, the authentication mechanism can be bypassed [2].

Exploitation

An attacker must be network-adjacent and gain authenticated access to the web interface, though the authentication bypass (e.g., via a separate vulnerability such as CVE-2022-43620 [1]) eliminates the need for valid credentials. Once authenticated, the attacker sends a specially crafted ConfigFileUpload request containing a malicious format string as part of the request parameters. No user interaction is required [2].

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the root user, granting full control over the router. This leads to complete compromise of confidentiality, integrity, and availability of the device [2].

Mitigation

As of the publication date of this CVE (2023-03-29), D-Link has acknowledged the vulnerability and stated that security patches are under development, but no fixed firmware version has been released [1]. No workaround is known. Users should monitor D-Link's support page for future updates [1].