CVE-2023-45578 – A buffer overflow vulnerability in multiple D-L... (How to Fix)

Q: What is the severity of CVE-2023-45578?

CVE-2023-45578 has a CVSS score of 9.8 (CRITICAL). A buffer overflow vulnerability in multiple D-Link router models allows remote attackers to execute arbitrary code by sending specially crafted requests to the pppoe_base.asp function. This affects D-Link DI-7003GV2, DI-7100G+V2, DI-7100GV2, DI-7200G+V2, DI-7200GV2, DI-7300G+V2, and DI-7400G+V2 devices running vulnerable firmware versions. Attackers can gain full control of affected devices without authentication.

📋 TL;DR

A buffer overflow vulnerability in multiple D-Link router models allows remote attackers to execute arbitrary code by sending specially crafted requests to the pppoe_base.asp function. This affects D-Link DI-7003GV2, DI-7100G+V2, DI-7100GV2, DI-7200G+V2, DI-7200GV2, DI-7300G+V2, and DI-7400G+V2 devices running vulnerable firmware versions. Attackers can gain full control of affected devices without authentication.

💻 Affected Systems

Products:

D-Link DI-7003GV2.D1
D-Link DI-7100G+V2.D1
D-Link DI-7100GV2.D1
D-Link DI-7200G+V2.D1
D-Link DI-7200GV2.E1
D-Link DI-7300G+V2.D1
D-Link DI-7400G+V2.D1

Versions: DI-7003GV2.D1 v23.08.25D1 and before, DI-7100G+V2.D1 v23.08.23D1 and before, DI-7100GV2.D1 v23.08.23D1, DI-7200G+V2.D1 v23.08.23D1 and before, DI-7200GV2.E1 v23.08.23E1 and before, DI-7300G+V2.D1 v23.08.23D1, DI-7400G+V2.D1 v23.08.23D1 and before

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with web management interface enabled are vulnerable. PPPoE configuration page must be accessible.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network traffic interception, lateral movement to internal networks, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attacker to reconfigure device, steal credentials, or use device as pivot point for internal attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Devices are typically internet-facing routers, directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal devices could be targeted via compromised internal hosts or phishing.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists in GitHub repository. Exploitation requires sending HTTP POST request with crafted pap_en/chap_en parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check D-Link support website for firmware updates. 2. Download latest firmware for your model. 3. Access router web interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot device.

🔧 Temporary Workarounds

Disable web management interface

all

Prevent access to vulnerable web interface by disabling remote management

Access router web interface -> Administration -> Remote Management -> Disable

Restrict access with firewall rules

linux

Block external access to router management interface

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Isolate affected devices in separate VLAN with strict firewall rules
Implement network monitoring for exploitation attempts and anomalous traffic

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under Maintenance -> Firmware or via SSH/Telnet if enabled

Check Version:

curl -s http://router-ip/status.asp | grep -i firmware || ssh admin@router-ip 'show version'

Verify Fix Applied:

Verify firmware version is newer than affected versions listed above

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /pppoe_base.asp with long pap_en/chap_en parameters
Unusual process execution in router logs
Configuration changes without authorization

Network Indicators:

HTTP traffic to router management interface with abnormal parameter lengths
Outbound connections from router to unknown IPs

SIEM Query:

source="router_logs" AND (uri="/pppoe_base.asp" AND (param_length>100 OR method="POST"))

📊 Metadata

CVE ID: CVE-2023-45578

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: October 16, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/Archerber/bug_submit/blob/main/D-Link/DI-7xxxx/bug4.md Exploit,Third Party Advisory
https://github.com/Archerber/bug_submit/blob/main/D-Link/DI-7xxxx/bug4.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45578, you might also want to check these: