CVE-2022-46561

Vulnerability

The SetWanSettings module in D-Link DIR-878 (firmware version DIR_878_FW1.30B08) and DIR-882 (firmware version DIR882A1_FW130B06) routers contains a stack overflow vulnerability [1][2][3][4]. The issue occurs when the Password parameter is processed by the decrypt_aes function and subsequently passed to sub_426D74, where unchecked copy operations overwrite a stack buffer [1][2][3][4]. The vulnerability is triggerable when the WAN connection mode is set to PPPoE, L2TP, or PPTP [1][2][3].

Exploitation

An attacker must have administrative access to the router's web interface (typically at 192.168.0.1) and send a crafted HTTP POST request to the /HNAP1/ endpoint with the SOAPACTION header set to "http://purenetworks.com/HNAP1/SetWanSettings" [1][2][3][4]. The request includes an oversized Password field in the XML body, which triggers the stack overflow when the router processes the input [1][2][3][4]. No user interaction is required beyond the attacker possessing valid admin credentials.

Impact

Successful exploitation allows an authenticated attacker to overwrite stack memory and achieve remote code execution on the affected device [1][2][3][4]. The gained privileges are at the system level, giving the attacker full control over the router.

Mitigation

As of the publication date, no official patch has been released by D-Link [1][2][3][4]. The firmware versions DIR_878_FW1.30B08 and DIR882A1_FW130B06 are known to be vulnerable. Users should restrict administrative access to the local network and monitor for any firmware updates from the vendor. The CVE is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.