CVE-2022-46563

Vulnerability

A stack overflow vulnerability exists in the SetDynamicDNSSettings module of D-Link DIR-878 (firmware version DIR_878_FW1.30B08.bin) and DIR-882 (firmware version DIR882A1_FW130B06.bin). The Password parameter supplied via the HNAP1 protocol is passed through the decrypt_aes function and then to sub_426D74, where a loop copies the decoded value onto the stack without bounds checking, leading to overflow [1][2].

Exploitation

An attacker must be on the local network and send a crafted HTTP POST request to the /HNAP1/ endpoint with a malicious Password value in the SOAP action SetDynamicDNSSettings. The request requires a valid session cookie (HNAP_AUTH) but can be obtained by logging into the router as admin (default credentials often unchanged). No user interaction beyond the login is needed [1][2].

Impact

Successful exploitation overflows a stack buffer, allowing the attacker to overwrite return addresses and potentially achieve arbitrary code execution with root privileges on the router. This can lead to full device compromise, including information disclosure, denial of service, or use of the router as a pivot point in the network [1][2].

Mitigation

As of the publication date (2022-12-23), no official patch has been released by D-Link. The DIR-878 and DIR-882 models are affected and may be end-of-life (EOL); users should check the D-Link security bulletin [3] for updates. Workarounds include restricting HNAP access to trusted IPs via firewall rules and changing the default admin password. No known CISA KEV listing exists.