CVE-2019-16920
Published: 27 September 2019
Summary
CVE-2019-16920 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-655 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2019-16920 is an unauthenticated remote code execution vulnerability arising from OS command injection (CWE-78) in the PingTest device CGI of multiple D-Link router and access-point models, including DIR-655C, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825. An attacker supplies crafted input that is passed directly to a system command without sanitization, resulting in arbitrary command execution on the affected device.
Because the flaw is reachable over the network without authentication or user interaction, any remote attacker who can reach the web interface can trigger the injection. Successful exploitation yields full system compromise, allowing the attacker to execute arbitrary commands with the privileges of the web server process.
Public references such as FortiGuard FG-VD-19-117, CERT VU#766427, and Seebug entries document the affected firmware versions and confirm the command-injection vector, but do not detail vendor-supplied patches or configuration work-arounds within the provided source material.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-7414
Vulnerability details
Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker…
more
who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs to the PingTest CGI so that crafted parameters cannot be passed unsanitized into system commands.
Enforces authentication and authorization checks before any access to device CGI endpoints, eliminating the unauthenticated attack vector described in the CVE.
Boundary-protection mechanisms can restrict network reachability of the web-management interface, reducing the set of remote attackers able to reach the vulnerable PingTest function.