CVE-2019-20213
📋 TL;DR
D-Link DIR-859 routers before version 1.07b03_beta allow unauthenticated attackers to access sensitive configuration information via a crafted AUTHORIZED_GROUP parameter in vpnconfig.php. This affects all users of vulnerable DIR-859 router firmware versions.
💻 Affected Systems
- D-Link DIR-859
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could obtain VPN credentials, network configuration details, and other sensitive information that could lead to full network compromise.
Likely Case
Unauthenticated information disclosure exposing router configuration, VPN settings, and potentially credentials.
If Mitigated
Limited to information disclosure only if no other vulnerabilities are chained.
🎯 Exploit Status
Simple HTTP request with crafted parameter, publicly documented with proof-of-concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.07b03_beta and later
Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10146
Restart Required: Yes
Instructions:
1. Log into router admin interface. 2. Navigate to Firmware Update section. 3. Download firmware version 1.07b03_beta or later from D-Link support site. 4. Upload and install the firmware. 5. Reboot router after installation.
🔧 Temporary Workarounds
Disable remote management
allPrevent external access to router administration interface
Network segmentation
allIsolate router management interface from untrusted networks
🧯 If You Can't Patch
- Replace router with supported model
- Implement firewall rules to block access to vpnconfig.php endpoint
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://[router-ip]/vpnconfig.php?AUTHORIZED_GROUP=1%0a and check if configuration information is returned without authentication.Check Version:
Check router web interface or use curl: curl -s http://[router-ip]/ | grep -i firmwareVerify Fix Applied:
After patching, attempt the same request and verify no sensitive information is returned.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to vpnconfig.php with AUTHORIZED_GROUP parameter containing %0a
Network Indicators:
- Unusual HTTP GET requests to router management interface from external IPs
SIEM Query:
source="router_logs" AND uri="/vpnconfig.php" AND query="AUTHORIZED_GROUP=1%0a"🔗 References
- https://medium.com/%40s1kr10s/d-link-dir-859-unauthenticated-information-disclosure-en-faf1a9a13f3f
- https://medium.com/%40s1kr10s/d-link-dir-859-unauthenticated-information-disclosure-es-6540f7f55b03
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10146
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147
- https://medium.com/%40s1kr10s/d-link-dir-859-unauthenticated-information-disclosure-en-faf1a9a13f3f
- https://medium.com/%40s1kr10s/d-link-dir-859-unauthenticated-information-disclosure-es-6540f7f55b03
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10146
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147
