CVE-2022-43622
📋 TL;DR
This is a critical buffer overflow vulnerability in D-Link DIR-1935 routers that allows network-adjacent attackers to execute arbitrary code as root without authentication. Attackers can exploit improper length validation in the HNAP_AUTH header parsing during login requests to gain complete control of affected routers. All users of DIR-1935 routers with vulnerable firmware are affected.
💻 Affected Systems
- D-Link DIR-1935
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete router compromise allowing attacker to intercept all network traffic, install persistent malware, pivot to internal network devices, and use router as botnet node.
Likely Case
Router takeover leading to DNS hijacking, credential theft from network traffic, and installation of backdoors for persistent access.
If Mitigated
Limited to denial of service if proper network segmentation and access controls prevent adjacent network access.
🎯 Exploit Status
Exploit code is publicly available through ZDI-22-1491. No authentication required makes exploitation trivial for adjacent attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Later than 1.03 (check vendor for specific fixed version)
Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10310
Restart Required: Yes
Instructions:
1. Log into router web interface 2. Navigate to Firmware Update section 3. Download latest firmware from D-Link support site 4. Upload and apply firmware update 5. Reboot router after update completes
🔧 Temporary Workarounds
Disable Web Management Portal
allDisable the vulnerable web interface to prevent exploitation
Router-specific: Access admin interface > Advanced > Remote Management > Disable
Network Segmentation
allIsolate router management interface to trusted network segment only
Use VLANs or firewall rules to restrict access to router management IP
🧯 If You Can't Patch
- Replace router with non-vulnerable model
- Implement strict network access controls to prevent adjacent network access to router management interface
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router web interface: System > Firmware. If version is 1.03, device is vulnerable.Check Version:
Router-specific: Access web interface or use nmap/curl to check version headersVerify Fix Applied:
Verify firmware version is updated to version later than 1.03. Test by attempting to access web interface from adjacent network - should not be accessible if workarounds applied.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts with malformed HNAP_AUTH headers
- Unusual POST requests to /HNAP1/ with oversized headers
Network Indicators:
- Traffic to router management interface from unexpected internal IPs
- Unusual outbound connections from router after exploitation
SIEM Query:
source_ip=router_management_interface AND (http_user_agent CONTAINS "HNAP" OR uri_path="/HNAP1/") AND http_content_length>1000