CVE-2022-43628 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2022-43628?

CVE-2022-43628 has a CVSS score of 6.8 (MEDIUM). This vulnerability allows authenticated attackers on the same network to execute arbitrary code with root privileges on D-Link DIR-1935 routers by exploiting improper input validation in IPv6 firewall settings. The authentication mechanism can be bypassed, enabling remote code execution. Only D-Link DIR-1935 routers running firmware version 1.03 are affected.

📋 TL;DR

This vulnerability allows authenticated attackers on the same network to execute arbitrary code with root privileges on D-Link DIR-1935 routers by exploiting improper input validation in IPv6 firewall settings. The authentication mechanism can be bypassed, enabling remote code execution. Only D-Link DIR-1935 routers running firmware version 1.03 are affected.

💻 Affected Systems

Products:

D-Link DIR-1935

Versions: 1.03

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All DIR-1935 routers running firmware 1.03 are vulnerable by default. Requires network access to the router's management interface.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full root control of the router, enabling traffic interception, network pivoting, malware deployment, and persistent backdoor installation.

🟠

Likely Case

Local network attacker compromises the router to intercept traffic, modify DNS settings, or deploy ransomware to connected devices.

🟢

If Mitigated

With network segmentation and strict access controls, impact is limited to isolated network segments.

🌐 Internet-Facing: LOW (requires network adjacency, not directly internet exploitable)

🏢 Internal Only: HIGH (exploitable by any device on the same network segment)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication bypass then command injection. ZDI advisory includes technical details that could be weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.04 or later

Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10310

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to Administration > Firmware Update. 3. Download firmware 1.04+ from D-Link support site. 4. Upload and apply firmware update. 5. Router will reboot automatically.

🔧 Temporary Workarounds

Disable IPv6 Firewall Management

all

Disable IPv6 firewall settings in router configuration to prevent exploitation vector

Restrict Management Interface Access

all

Configure firewall rules to only allow management access from trusted IP addresses

🧯 If You Can't Patch

Segment router management interface to isolated VLAN with strict access controls
Implement network monitoring for suspicious SetIPv6FirewallSettings requests

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: Login > Status > Device Info > Firmware Version

Check Version:

curl -s http://router-ip/status.asp | grep 'Firmware Version'

Verify Fix Applied:

Verify firmware version is 1.04 or higher in Device Info page

📡 Detection & Monitoring

Log Indicators:

Unusual SetIPv6FirewallSettings requests
Multiple authentication failures followed by successful login
Suspicious system command execution in logs

Network Indicators:

POST requests to /goform/SetIPv6FirewallSettings with shell metacharacters
Unusual outbound connections from router

SIEM Query:

source="router-logs" AND (uri_path="/goform/SetIPv6FirewallSettings" OR cmd="*;*" OR cmd="*|*")

📊 Metadata

CVE ID: CVE-2022-43628

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: March 29, 2023

Last Updated: November 21, 2024

🔗 References

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10310 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1499/ Third Party Advisory,VDB Entry
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10310 Patch,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1499/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-43628, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Dir 1935 Firmware by Dlink

Dir 1935 Firmware by Dlink

Dir 1935 Firmware by Dlink

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable IPv6 Firewall Management

Restrict Management Interface Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities