Vulnerability Note VU#677427

D-Link routers HNAP service contains stack-based buffer overflow

Original Release date: 07 Nov 2016 | Last revised: 10 Nov 2016

Overview

D-Link DIR routers contain a stack-based buffer overflow in the HNAP Login action.

Description

CWE-121: Stack-based Buffer Overflow - CVE-2016-6563

Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha.

CVE-2016-6563 appears to affect:

  • DIR-823
  • DIR-822
  • DIR-818L(W)
  • DIR-895L
  • DIR-890L
  • DIR-885L
  • DIR-880L
  • DIR-868L

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with root privileges.

Solution

Apply an update
D-Link has released firmware updates to address the vulnerabilities in affected routers. Please see their announcement.
If you are unable to update your device, please see the following workarounds:

Restrict Access

As a general good security practice, only allow connections from trusted hosts and networks. Additionally, you may wish to disable remote administration of the router.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
D-Link Systems, Inc.Affected12 Sep 201627 Oct 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 8.0 E:POC/RL:W/RC:ND
Environmental 6.0 CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

  • CVE IDs: CVE-2016-6563
  • Date Public: 07 Nov 2016
  • Date First Published: 07 Nov 2016
  • Date Last Updated: 10 Nov 2016
  • Document Revision: 18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.