CVE-2021-42783, CVE-2021-42784

Multiple Vulnerabilities - D-Link DWR-932C E1 Firmware 1.0.0.4 (CVE-2021-42783, CVE-2021-42784)

CVE ID

CVE-2021-42783 CVE-2021-42784

Description

Multiple vulnerabilities in D-Link DWR-932C E1 firmware allow an unauthenticated attacker to remotely execute arbitrary code.

Tested Versions

D-Link DWR-932C E1 Firmware 1.0.0.4

Details

There exists two separate vulnerabilities in D-Link DWR-932C E1 Firmware 1.0.0.4 (latest version) that allow an attacker to perform remote code execution.

CVE-2021-42783: Missing Authentication in debug_post_set.cgi in D-Link DWR-932C E1 Firmware 1.0.0.4
Lack of authentication in the debug_post_set.cgi in D-Link DWR-932C E1 Firmware 1.0.0.4 allows a remote attacker to perform administrative actions without authentication via a crafted HTTP request.

CVE-2021-42784: OS Command Injection in debug_fcgi in D-Link DWR-932C E1 Firmware 1.0.0.4
Command injection in debug_fcgi in D-Link DWR-932C E1 Firmware 1.0.0.4 allows a remote attacker to perform command injection via a crafted HTTP request.

Timeline

• 2021-08-12 - Vendor Disclosure
• 2021-09-02 - Vendor Patch
• 2021-11-09 - Public Release

Credit

Discovered by Eugene Lim from Government Technology Agency of Singapore.