CVE-2022-46566

Vulnerability

A stack overflow vulnerability exists in the SetQuickVPNSettings module of D-Link DIR-882 (firmware DIR882A1_FW130B06) and DIR-878 (firmware DIR_878_FW1.30B08) routers [1][2]. The flaw occurs when the program processes the Password parameter from the /HNAP1/ endpoint. The attacker-controlled input is passed to the decrypt_aes function and subsequently to sub_426D74, where a for loop copies the decoded hex value onto the stack without proper bounds checking, leading to a stack overflow [1][2].

Exploitation

An attacker must have administrative access to the router's web interface (typically at 192.168.0.1) and send a crafted HTTP POST request to /HNAP1/ with the SOAPAction header set to "http://purenetworks.com/HNAP1/SetQuickVPNSettings" [1][2]. The request includes an XML body containing an overly long Password value. No user interaction beyond the initial authentication is required, and no race condition is involved [1][2].

Impact

Successful exploitation overflows a stack buffer, potentially causing a denial of service (router crash) or, if the overflow is carefully controlled, arbitrary code execution with the privileges of the router's web server process [1][2]. This could allow an attacker to fully compromise the router and gain persistent access to the network.

Mitigation

D-Link has not released a security bulletin or firmware update for these specific products as of the publication date [3]. Both DIR-882 and DIR-878 may be end-of-life (EOL) or limited support models; users should check the D-Link EOL policy [3]. If no fix is available, mitigating controls include restricting administrative access to the router's web interface to trusted hosts only and disabling remote management [3]. These vulnerabilities are not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.