CVE-2022-43630

Vulnerability

The vulnerability is a stack-based buffer overflow in the handling of HTTP requests to the web management portal of D-Link DIR-1935 routers running firmware version 1.03 (specifically DIR1935A1_FW1.03B02_Beta_ipv6_default_gateway_20181224.bin as tested [1]). When parsing the SOAPAction header, the process does not properly validate the length of user-supplied data before copying it to a fixed-length stack-based buffer. This flaw exists in the web server component that processes SOAP requests. No authentication is required to reach the vulnerable code path.

Exploitation

An attacker must be network-adjacent (i.e., on the same local network) to the affected router. No prior authentication or user interaction is needed. The attacker sends a crafted HTTP request to the router's web management portal with an overly long SOAPAction header. The lack of length validation causes a stack-based buffer overflow, overwriting adjacent memory. The attacker can control the overflow data to achieve code execution.

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of root, the highest privilege level on the router. This results in full compromise of the device, including complete confidentiality, integrity, and availability loss (CVSS 8.8, AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [2]). The attacker can install persistent malware, exfiltrate network traffic, or use the router as a pivot point.

Mitigation

D-Link has released firmware version 1.03b02 to address this vulnerability [1]. Users should update their DIR-1935 routers to the latest firmware available from the D-Link support website. No workarounds are documented; however, disabling remote management and restricting access to the web management portal to trusted networks can reduce exposure. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.