CVE-2021-46315 – This CVE describes a remote command execution v... (How to Fix)

Q: What is the severity of CVE-2021-46315?

CVE-2021-46315 has a CVSS score of 9.8 (CRITICAL). This CVE describes a remote command execution vulnerability in D-Link DIR-846 routers where attackers can inject shell commands through SSID parameters. The vulnerability affects routers running specific firmware versions and allows unauthenticated attackers to execute arbitrary commands on the device. This is a critical vulnerability due to its high CVSS score and potential for complete device compromise.

📋 TL;DR

This CVE describes a remote command execution vulnerability in D-Link DIR-846 routers where attackers can inject shell commands through SSID parameters. The vulnerability affects routers running specific firmware versions and allows unauthenticated attackers to execute arbitrary commands on the device. This is a critical vulnerability due to its high CVSS score and potential for complete device compromise.

💻 Affected Systems

Products:

D-Link DIR-846 Router

Versions: DIR846A1_FW100A43.bin and DIR846enFW100A53DLA-Retail.bin firmware versions

Operating Systems: Embedded Linux/Proprietary Router OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the HNAP1/control/SetWizardConfig.php endpoint. This is related to CVE-2019-17510 which was not properly patched.

📦 What is this software?

Dir 846 Firmware by Dlink

View all CVEs affecting Dir 846 Firmware →

Dir 846 Firmware by Dlink

View all CVEs affecting Dir 846 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router takeover allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and use the router as part of a botnet.

🟠

Likely Case

Router compromise leading to credential theft, DNS hijacking, man-in-the-middle attacks, and network disruption.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though router functionality could still be disrupted.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - While primarily internet-facing, compromised routers could be used to attack internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit uses shell metacharacters (backticks, spaces with backslashes) in ssid0/ssid1 parameters. Public PoC available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check D-Link security bulletin for latest patched firmware

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Restart Required: Yes

Instructions:

1. Visit D-Link support website 2. Download latest firmware for DIR-846 3. Log into router admin interface 4. Navigate to firmware update section 5. Upload and apply new firmware 6. Reboot router

🔧 Temporary Workarounds

Disable HNAP1 Service

all

Disable the vulnerable HNAP1 service if not required

Check router admin interface for service disable options

Network Segmentation

all

Isolate router management interface from untrusted networks

Configure firewall rules to restrict access to router admin interface

🧯 If You Can't Patch

Replace affected routers with updated models or different vendors
Implement strict network monitoring and intrusion detection for router traffic

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface against affected versions. Test if HNAP1/control/SetWizardConfig.php endpoint accepts shell metacharacters.

Check Version:

Check router web interface or use: curl -s http://router-ip/status.html | grep firmware

Verify Fix Applied:

Verify firmware version is updated beyond affected versions. Test that shell metacharacters in ssid parameters no longer execute commands.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /HNAP1/control/SetWizardConfig.php
Shell metacharacters in SSID parameters
Unexpected command execution in router logs

Network Indicators:

Unusual outbound connections from router
DNS changes from router
Traffic redirection patterns

SIEM Query:

source="router-logs" AND (uri="/HNAP1/control/SetWizardConfig.php" AND (ssid0 CONTAINS "`" OR ssid1 CONTAINS "`" OR ssid0 CONTAINS "\\ "))

📊 Metadata

CVE ID: CVE-2021-46315

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: February 17, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/doudoudedi/DIR-846_Command_Injection/blob/main/DIR-846_Command_Injection1.md Exploit,Third Party Advisory
https://www.dlink.com/en/security-bulletin/ Vendor Advisory
https://github.com/doudoudedi/DIR-846_Command_Injection/blob/main/DIR-846_Command_Injection1.md Exploit,Third Party Advisory
https://www.dlink.com/en/security-bulletin/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46315, you might also want to check these: