CVE-2021-28143
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary commands on D-Link DIR-841 routers via the /jsonrpc endpoint. Attackers can inject malicious commands into ping, ping6, or traceroute parameters under System Tools. This affects users of DIR-841 routers running firmware versions 3.03 and 3.04.
💻 Affected Systems
- D-Link DIR-841
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full router compromise allowing attacker to intercept all network traffic, install persistent backdoors, pivot to internal networks, and use the router for further attacks.
Likely Case
Router takeover leading to network monitoring, credential theft, DNS hijacking, and use as a botnet node.
If Mitigated
Limited impact if strong authentication and network segmentation prevent access to vulnerable interfaces.
🎯 Exploit Status
Exploit requires valid credentials but uses simple command injection. Public proof-of-concept code exists in GitHub repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware version after 3.04 (check vendor advisory for specific version)
Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10207
Restart Required: Yes
Instructions:
1. Download latest firmware from D-Link support site. 2. Log into router web interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload and install new firmware. 5. Router will reboot automatically.
🔧 Temporary Workarounds
Disable remote administration
allPrevent external access to router web interface
Navigate to Advanced > Remote Management > Disable
Change default credentials
allUse strong, unique passwords for router admin access
Navigate to Tools > Admin > Change password
🧯 If You Can't Patch
- Isolate router on separate VLAN with strict firewall rules blocking unnecessary inbound/outbound traffic
- Implement network monitoring for unusual outbound connections or command execution patterns from router
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router web interface under Status > Device Info. If version is 3.03 or 3.04, device is vulnerable.Check Version:
curl -s http://router-ip/status.cgi | grep FirmwareVerify Fix Applied:
After firmware update, verify version shows newer than 3.04. Test /jsonrpc endpoint with command injection payloads to confirm they're blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /jsonrpc with shell metacharacters in parameters
- Multiple failed login attempts followed by successful login and command execution
Network Indicators:
- Unusual outbound connections from router IP
- DNS queries to suspicious domains from router
SIEM Query:
source="router-logs" AND (uri_path="/jsonrpc" AND (param="ping" OR param="ping6" OR param="traceroute") AND param_value MATCHES "[;&|`$()]+")🔗 References
- https://github.com/vitorespf/Advisories/blob/master/DLINK-DIR-841-command-injection.txt
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10207
- https://github.com/vitorespf/Advisories/blob/master/DLINK-DIR-841-command-injection.txt
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10207
