CVE-2019-16920

Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
References
Link Resource
https://fortiguard.com/zeroday/FG-VD-19-117 Broken Link Third Party Advisory
https://medium.com/%4080vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3 Exploit Third Party Advisory
https://www.kb.cert.org/vuls/id/766427 Third Party Advisory US Government Resource
https://www.seebug.org/vuldb/ssvid-98079 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:dlink:dir-655_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-655:cx:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:dlink:dir-866l_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-866l:ax:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:dlink:dir-652_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-652:ax:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:dlink:dhp-1565_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dhp-1565:ax:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:dlink:dir-855l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-855l:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:dlink:dap-1533_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dap-1533:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:dlink:dir-862l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-862l:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:dlink:dir-615_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-615:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:dlink:dir-835_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-835:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:dlink:dir-825_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-825:-:*:*:*:*:*:*:*

History

16 Jul 2024, 17:54

Type Values Removed Values Added
CPE cpe:2.3:h:dlink:dir-825:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-825_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-615_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-835_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dap-1533:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-615:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-855l:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-862l:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-855l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dap-1533_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-862l_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-835:-:*:*:*:*:*:*:*
First Time Dlink dir-862l Firmware
Dlink dir-615
Dlink dir-855l Firmware
Dlink dir-615 Firmware
Dlink dir-825 Firmware
Dlink dir-855l
Dlink dir-835 Firmware
Dlink dir-825
Dlink dap-1533
Dlink dap-1533 Firmware
Dlink dir-862l
Dlink dir-835
References () https://fortiguard.com/zeroday/FG-VD-19-117 - Third Party Advisory () https://fortiguard.com/zeroday/FG-VD-19-117 - Broken Link, Third Party Advisory
References () https://medium.com/%4080vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3 - () https://medium.com/%4080vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3 - Exploit, Third Party Advisory
References () https://www.kb.cert.org/vuls/id/766427 - () https://www.kb.cert.org/vuls/id/766427 - Third Party Advisory, US Government Resource
References () https://www.seebug.org/vuldb/ssvid-98079 - () https://www.seebug.org/vuldb/ssvid-98079 - Exploit, Third Party Advisory

07 Nov 2023, 03:06

Type Values Removed Values Added
References
  • {'url': 'https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3', 'name': 'https://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3', 'tags': [], 'refsource': 'MISC'}
  • () https://medium.com/%4080vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3 -

Information

Published : 2019-09-27 12:15

Updated : 2024-07-16 17:54


NVD link : CVE-2019-16920

Mitre link : CVE-2019-16920

CVE.ORG link : CVE-2019-16920


JSON object : View

Products Affected

dlink

  • dap-1533_firmware
  • dir-866l
  • dir-615
  • dir-855l_firmware
  • dir-655_firmware
  • dir-655
  • dir-862l
  • dir-615_firmware
  • dir-825_firmware
  • dap-1533
  • dhp-1565_firmware
  • dir-652
  • dhp-1565
  • dir-866l_firmware
  • dir-855l
  • dir-825
  • dir-652_firmware
  • dir-835_firmware
  • dir-862l_firmware
  • dir-835
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')