CVE-2019-20500
Published: 05 March 2020
Summary
CVE-2019-20500 is a high-severity OS Command Injection (CWE-78) vulnerability in Dlink Dwl-2600Ap Firmware. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
D-Link DWL-2600AP devices running firmware version 4.2.0.15 Rev A contain an authenticated OS command injection vulnerability in the web interface's Save Configuration functionality. The flaw, tracked as CWE-78, allows shell metacharacters to be supplied in the configBackup or downloadServerip parameters of the admin.cgi?action=config_save endpoint, resulting in execution of arbitrary operating system commands.
An attacker who has obtained low-privileged authenticated access to the device can leverage the injection to run commands with high impact on confidentiality, integrity, and availability. The CVSS 3.1 base score of 7.8 reflects local attack vector, low attack complexity, and no user interaction requirements.
D-Link has issued a security advisory (SAP10113) that addresses the issue, and public exploit code demonstrating the vulnerability has been published. The CVE is also catalogued by CISA among known exploited vulnerabilities.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-11044
Vulnerability details
D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter.
- CWE(s)
- KEV Date Added
- 29 June 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks CWE-78 OS command injection by validating or sanitizing the configBackup and downloadServerip parameters before they reach the shell in admin.cgi.
Requires prompt application of the vendor firmware patch (SAP10113) that eliminates the unauthenticated command-execution path in the Save Configuration function.
Limits the privileges of the authenticated account that reaches the vulnerable endpoint, reducing the impact of any commands that are successfully injected.