CVE-2021-28840 – A null pointer dereference vulnerability in D-L... (How to Fix)

Q: What is the severity of CVE-2021-28840?

CVE-2021-28840 has a CVSS score of 7.5 (HIGH). A null pointer dereference vulnerability in D-Link DAP series access points allows remote attackers to crash the httpd service via a specially crafted HTTP GET request. This affects multiple D-Link DAP models running specific vulnerable firmware versions. The vulnerability can cause denial of service, potentially disrupting network connectivity.

📋 TL;DR

A null pointer dereference vulnerability in D-Link DAP series access points allows remote attackers to crash the httpd service via a specially crafted HTTP GET request. This affects multiple D-Link DAP models running specific vulnerable firmware versions. The vulnerability can cause denial of service, potentially disrupting network connectivity.

💻 Affected Systems

Products:

D-Link DAP-2310
D-Link DAP-2330
D-Link DAP-2360
D-Link DAP-2553
D-Link DAP-2660
D-Link DAP-2690
D-Link DAP-2695
D-Link DAP-3320
D-Link DAP-3662

Versions: DAP-2310 2.07.RC031, DAP-2330 1.07.RC028, DAP-2360 2.07.RC043, DAP-2553 3.06.RC027, DAP-2660 1.13.RC074, DAP-2690 3.16.RC100, DAP-2695 1.17.RC063, DAP-3320 1.01.RC014, DAP-3662 1.01.RC022

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the httpd binary's upload_config function when handling specific HTTP GET requests.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service causing the access point to crash and become unavailable, requiring physical restart and disrupting all connected devices.

🟠

Likely Case

HTTP service crash leading to temporary loss of web management interface and potential network instability until service restarts.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery.

🌐 Internet-Facing: HIGH - Access points with web management exposed to internet are directly vulnerable to remote exploitation.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to disrupt network services.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a specific HTTP GET request to trigger the null pointer dereference. Public research papers detail the vulnerability mechanism.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check D-Link security bulletin for latest patched firmware versions

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Restart Required: Yes

Instructions:

1. Visit D-Link support website. 2. Download latest firmware for your specific DAP model. 3. Log into device web interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot device after update completes.

🔧 Temporary Workarounds

Disable HTTP Management Interface

all

Disable web management interface or restrict access to trusted networks only

Configure firewall rules to block external access to port 80/443 on DAP devices
Use CLI to disable httpd service if supported

Network Segmentation

all

Isolate DAP devices on separate VLAN without internet exposure

Configure switch ports to place DAP on management VLAN
Set up ACLs to restrict access to DAP management IPs

🧯 If You Can't Patch

Implement strict network access controls to limit HTTP access to DAP management interfaces
Deploy network monitoring and IDS/IPS to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > Firmware) or CLI, compare against vulnerable versions listed in affected_systems.versions

Check Version:

Web interface: System > Firmware page; CLI: 'show version' or similar model-specific command

Verify Fix Applied:

Verify firmware version has been updated to a version not listed in affected_systems.versions, test HTTP service stability with normal management requests

📡 Detection & Monitoring

Log Indicators:

HTTP service crash logs
Repeated httpd process restarts
Unusual HTTP GET requests to upload_config endpoints

Network Indicators:

HTTP requests causing device unresponsiveness
Increased HTTP error responses from DAP devices

SIEM Query:

source="dlink-dap" AND (http_request="*upload_config*" OR process="httpd" AND event="crash")

📊 Metadata

CVE ID: CVE-2021-28840

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: August 10, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/zyw-200/EQUAFL/blob/main/dlink-email-cve.pdf Exploit,Third Party Advisory
https://github.com/zyw-200/EQUAFL/blob/main/dlink-email-cve2.pdf Third Party Advisory
https://www.dlink.com/en/security-bulletin/ Vendor Advisory
https://github.com/zyw-200/EQUAFL/blob/main/dlink-email-cve.pdf Exploit,Third Party Advisory
https://github.com/zyw-200/EQUAFL/blob/main/dlink-email-cve2.pdf Third Party Advisory
https://www.dlink.com/en/security-bulletin/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28840, you might also want to check these: