CVE-2021-28838 – A null pointer dereference vulnerability in D-L... (How to Fix)

Q: What is the severity of CVE-2021-28838?

CVE-2021-28838 has a CVSS score of 7.5 (HIGH). A null pointer dereference vulnerability in D-Link DAP series access points allows remote attackers to crash the httpd service by sending specially crafted network packets. This affects multiple DAP models running specific vulnerable firmware versions. The crash results in denial of service, potentially disrupting network connectivity.

📋 TL;DR

A null pointer dereference vulnerability in D-Link DAP series access points allows remote attackers to crash the httpd service by sending specially crafted network packets. This affects multiple DAP models running specific vulnerable firmware versions. The crash results in denial of service, potentially disrupting network connectivity.

💻 Affected Systems

Products:

D-Link DAP-2310
D-Link DAP-2330
D-Link DAP-2360
D-Link DAP-2553
D-Link DAP-2660
D-Link DAP-2690
D-Link DAP-2695
D-Link DAP-3320
D-Link DAP-3662

Versions: Specific vulnerable versions: DAP-2310 2.10RC039, DAP-2330 1.10RC036 BETA, DAP-2360 2.10RC055, DAP-2553 3.10rc039 BETA, DAP-2660 1.15rc131b, DAP-2690 3.20RC115 BETA, DAP-2695 1.20RC093, DAP-3320 1.05RC027 BETA, DAP-3662 1.05rc069

Operating Systems: Embedded firmware on D-Link access points

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the sbin/httpd binary specifically. All listed versions are vulnerable in default configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for the affected access point, requiring physical reboot to restore functionality. Potential for service disruption across connected networks.

🟠

Likely Case

HTTP service crash causing temporary network interruption until automatic or manual service restart occurs.

🟢

If Mitigated

Minimal impact if devices are behind firewalls with restricted access to management interfaces.

🌐 Internet-Facing: HIGH - Access points with management interfaces exposed to the internet can be easily targeted for DoS attacks.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to disrupt network services.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specific network packets to trigger the atoi null pointer dereference. Public research documents demonstrate the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check D-Link security bulletin for updated firmware versions

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Restart Required: Yes

Instructions:

1. Visit D-Link security bulletin for affected models. 2. Download latest firmware for your specific model. 3. Log into device web interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot device after update completes.

🔧 Temporary Workarounds

Restrict HTTP Management Access

all

Limit access to the device's HTTP management interface to trusted networks only

Configure firewall rules to block external access to port 80/tcp and 443/tcp on affected devices

Disable HTTP Management

all

Use alternative management methods if available

Disable HTTP management interface in device configuration if SSH or console access is sufficient

🧯 If You Can't Patch

Isolate affected devices in separate network segments with strict access controls
Implement network monitoring for abnormal HTTP traffic patterns to the management interfaces

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or CLI against the vulnerable versions listed in affected_systems.versions

Check Version:

Check via web interface at System Status or via CLI with appropriate model-specific commands

Verify Fix Applied:

Verify firmware version has been updated to a version not listed in the vulnerable versions. Test HTTP service stability with normal operations.

📡 Detection & Monitoring

Log Indicators:

HTTP service crash logs
Repeated httpd process restarts
Abnormal termination messages in system logs

Network Indicators:

Unusual HTTP requests to device management interfaces
Sudden loss of HTTP service on standard ports

SIEM Query:

source="dlink_access_point" AND (event="httpd_crash" OR event="service_restart" OR message="*null pointer*" OR message="*segmentation fault*")

📊 Metadata

CVE ID: CVE-2021-28838

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: August 10, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/zyw-200/EQUAFL/blob/main/dlink-email-cve.pdf Exploit,Third Party Advisory
https://github.com/zyw-200/EQUAFL/blob/main/dlink-email-cve2.pdf Third Party Advisory
https://www.dlink.com/en/security-bulletin/ Vendor Advisory
https://github.com/zyw-200/EQUAFL/blob/main/dlink-email-cve.pdf Exploit,Third Party Advisory
https://github.com/zyw-200/EQUAFL/blob/main/dlink-email-cve2.pdf Third Party Advisory
https://www.dlink.com/en/security-bulletin/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28838, you might also want to check these: