CVE-2024-37605

Vulnerability

The vulnerability is a NULL pointer dereference in the D-Link DIR-860L router running firmware version REVB_FIRMWARE_2.04.B04_ic5b. The bug resides in a component that processes HTTP requests. An attacker can trigger the NULL pointer dereference by sending a specially crafted HTTP request to the device. No authentication is required to reach the vulnerable code path. The affected product is a legacy device that has reached End-of-Life (EOL) and End-of-Service (EOS), as noted in the vendor's advisory [1].

Exploitation

An unauthenticated attacker with network access to the router can exploit this vulnerability. The attacker crafts a malicious HTTP request and sends it to the device's web interface. The specific parameters or payload needed to trigger the NULL pointer dereference are not publicly detailed, but the attack is network-based and requires no prior authentication. Successful execution of the crafted request leads to the NULL pointer dereference condition [1].

Impact

Successful exploitation causes a denial of service (DoS) condition. The NULL pointer dereference likely crashes the affected service or the entire router, rendering the device unresponsive until a manual reboot. There is no indication of code execution or data disclosure; the impact is limited to availability [1].

Mitigation

D-Link has classified the DIR-860L as a legacy product that has reached its End-of-Life (EOL) and End-of-Service (EOS) Life-Cycle. No firmware patches or updates are planned. The vendor recommends that users retire and replace the device [1]. As no fix is available, the only mitigation is to upgrade to a supported, non-EOL router model.