Remote code execution bug resolved in D-Link storage device

Newly-disclosed vulnerability awarded highest possible CVSS severity rating

A critical vulnerability present in D-Link DNS-320 ShareCenter devices has been resolved.

Impacting D-Link ShareCenter products running firmware versions 2.05.B10 and lower, the critical security flaw is tracked as CVE-2019-16057 and has been issued a CVSS v2.0 and CVSS v3.1 base score of 10.0 and 9.8, respectively.

Trung Nguyen, the co-founder of CyStack Security, discovered the remote code execution (RCE) vulnerability.

In a blog post, Nguyen said that if the vulnerability is exploited “a remote, unauthenticated attacker can access all application commands with root permission.”

During an examination of device’s security, the researcher downloaded and unpacked firmware used to operate the D-link DNS-320 Sharecenter product range, a RAID 1 storage device designed for applications such as remote backup.

The firmware was extracted using Binwalk and Firmware Modification Kit.

On inspection, the /cgi/login_mgr.cgi login request script, which is part of the firmware’s SSL Login module, attracted the researcher’s interest.

He found that the port parameter in the script could be poisoned to execute arbitrary commands, opening the door to an RCE attack.

The severe vulnerability was reported to the vendor in mid-August.

D-Link requested additional information and confirmed the validity of the report by September 6, according to CyStack.

Crossed timelines

Yet, according to the DNS-320 release notes dated April 11, the vendor resolved the RCE in an update that also fixed an issue related to a wave of attacks against NAS devices using the Cr1ptT0r ransomware. 

The firmware patch, applied to the login_mgr.cgi script, also appears to have fixed CVE-2019-16057.

“I don't know exactly what issue they found related to the flaw I'm addressing [...], but the patch worked,” Nguyen said. “They fixed it by typecasting parameter port to Integer.”

CyStack publicly disclosed the issue on September 12. D-Link followed this with a security advisory on September 15.

“Prior to the report, on April 11, 2019, D-Link had published a security patch that addressed this issue and other reported vulnerabilities,” D-Link told The Daily Swig.

“Meaning, the reported ‘Unauthenticated Remote code execution’ vulnerability had already been addressed in a patch that was available back in April 2019.”

The Daily Swig has reached out to D-Link for further clarification on whether the patch issued in April inadvertently fixed the RCE reported by CyStack in August.

A security advisory was issued by the company in March about the patch aimed at mitigating the Cr1ptT0r issue.