CVE-2018-19989

high-risk
Published 2019-05-13

In the /HNAP1/SetQoSSettings message, the uplink parameter is vulnerable, and the vulnerability affects D-Link DIR-822 Rev.B 202KRb06 and DIR-822 Rev.C 3.10B06 devices. In the SetQoSSettings.php source code, the uplink parameter is saved in the /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth internal configuration memory without any regex checking. And in the bwc_tc_spq_start, bwc_tc_wfq_start, and bwc_tc_adb_start functions of the bwcsvcs.php source code, the data in /bwc/entry:1/bandwidth and /bwc/entry:2/bandwidth is used with the tc command without any regex checking. A vulnerable /HNAP1/SetQoSSettings XML message could have shell metacharacters in the uplink element such as the `telnetd` string.

Do I need to act?

!
32.8% chance of exploitation in next 30 days
EPSS score — higher than 67% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

D-Link Dlink

References (2)

Exploit https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990
Exploit https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-19986%20-%2019990
55
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 16/34 · Moderate
Exposure 7/34 · Low