CVE-2023-39638

Vulnerability

A command injection vulnerability exists in the D-Link DIR-859 A1 router with firmware versions 1.05 and 1.06B01 Beta01. The flaw is located in the lxmldbc_system function within the /htdocs/cgibin binary. An attacker can trigger the injection by sending specially crafted input that is not properly sanitized before being passed to a system command execution [1][2].

Exploitation

An attacker must have network access to the affected device, typically on the local network. No authentication is required to reach the vulnerable code path. The attacker sends a crafted HTTP request to the cgibin interface with malicious input in a parameter that is processed by the lxmldbc_system function, leading to arbitrary command execution [2].

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the device with root privileges. This can lead to full compromise of the router, including disclosure of sensitive configuration data, modification of settings, denial of service, or use as a pivot point for further attacks on the network [2].

Mitigation

As of the publication date (2023-09-14), no fix has been released by D-Link. The DIR-859 A1 is an end-of-life (EOL) product, and D-Link does not intend to issue a security update [1]. Users are advised to replace the device with a supported model or isolate it from untrusted networks as a workaround. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.