CVE-2022-43627

Vulnerability

The vulnerability is a command injection in the SetStaticRouteIPv4Settings handler of the web management portal on D-Link DIR-1935 routers running firmware version 1.03 (specifically DIR1935A1_FW1.03B02_Beta_ipv6_default_gateway_20181224.bin as tested [1]). When parsing subelements within the StaticRouteIPv4Data element, the process fails to validate a user-supplied string before using it in a system call, allowing injection of arbitrary commands [2]. Authentication is required but can be bypassed via another vulnerability (CVE-2022-43620) [1].

Exploitation

An attacker must be network-adjacent (same LAN or wireless) and have valid credentials or leverage an authentication bypass (e.g., CVE-2022-43620) [1]. The attacker sends a crafted SetStaticRouteIPv4Settings request to the web management portal with malicious input in the StaticRouteIPv4Data subelements. The lack of input validation leads to command injection when the router executes the system call [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of root, gaining full control over the router [2]. This can lead to complete compromise of confidentiality, integrity, and availability of the device and network traffic passing through it.

Mitigation

D-Link has released firmware version 1.03b02 to address this vulnerability [1]. Users should update to the latest firmware available from the D-Link support site. No workaround is provided; the device is not listed as end-of-life. The vulnerability is not known to be in CISA's KEV as of publication.