CVE-2023-29665 – CVE-2023-29665 is a critical stack overflow vul... (How to Fix)

Q: What is the severity of CVE-2023-29665?

CVE-2023-29665 has a CVSS score of 9.8 (CRITICAL). CVE-2023-29665 is a critical stack overflow vulnerability in D-Link DIR823G routers that allows remote attackers to execute arbitrary code by sending specially crafted requests to the SetPasswdSettings HNAP endpoint. This affects all users of DIR823G routers running vulnerable firmware versions, potentially giving attackers full control of the device. The vulnerability is remotely exploitable without authentication.

📋 TL;DR

CVE-2023-29665 is a critical stack overflow vulnerability in D-Link DIR823G routers that allows remote attackers to execute arbitrary code by sending specially crafted requests to the SetPasswdSettings HNAP endpoint. This affects all users of DIR823G routers running vulnerable firmware versions, potentially giving attackers full control of the device. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:

D-Link DIR823G

Versions: V1.0.2B05 and likely earlier versions

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the HNAP1 protocol implementation. The vulnerability is in the web management interface accessible via HTTP/HTTPS.

📦 What is this software?

Dir 823g Firmware by Dlink

View all CVEs affecting Dir 823g Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, credential theft, and use as a pivot point to attack internal networks.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, deploy malware, or join botnets.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access, though internal attackers could still exploit.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via HNAP protocol which is typically accessible from WAN interface.

🏢 Internal Only: HIGH - Even internally, the vulnerability requires no authentication and can be exploited by any network user.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept code is publicly available on GitHub. The exploit requires sending a specially crafted HTTP POST request to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check D-Link security bulletin for latest patched version

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Restart Required: Yes

Instructions:

1. Log into D-Link support portal. 2. Download latest firmware for DIR823G. 3. Access router web interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and apply new firmware. 6. Reboot router after completion.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router management interface

Access router web interface > Advanced > Remote Management > Disable

Block HNAP Ports

linux

Block access to HNAP protocol ports on firewall

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 8080 -j DROP

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Implement network segmentation to limit router's access to critical systems

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under Status > Device Info. If version is V1.0.2B05 or earlier, device is vulnerable.

Check Version:

curl -s http://router-ip/HNAP1/ | grep -i version or check web interface

Verify Fix Applied:

After firmware update, verify version shows patched release. Test by attempting to send crafted request to /HNAP1/ endpoint (not recommended on production).

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /HNAP1/
Multiple failed authentication attempts followed by SetPasswdSettings requests
Large payloads sent to HNAP endpoints

Network Indicators:

HTTP POST requests to /HNAP1/ with oversized NewPassword parameter
Traffic to router on ports 80/443/8080 from unexpected sources

SIEM Query:

source="router_logs" AND (uri="/HNAP1/" AND method="POST" AND (param="NewPassword" OR data_size>1000))

📊 Metadata

CVE ID: CVE-2023-29665

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: April 17, 2023

Last Updated: February 6, 2025

🔗 References

https://github.com/726232111/VulIoT/tree/main/D-Link/DIR823G%20V1.0.2B05/HNAP1/boSetPasswdSettings Exploit,Third Party Advisory
https://www.dlink.com/en/security-bulletin/ Vendor Advisory
https://github.com/726232111/VulIoT/tree/main/D-Link/DIR823G%20V1.0.2B05/HNAP1/boSetPasswdSettings Exploit,Third Party Advisory
https://www.dlink.com/en/security-bulletin/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29665, you might also want to check these: