A high-severity buffer overflow vulnerability has been identified in multiple D-Link products, including the DIR-600L router. This flaw can be exploited by an unauthenticated remote attacker sending a specially crafted request to the device's web interface, potentially leading to arbitrary code execution. Successful exploitation could allow an attacker to gain complete control over the affected network device, compromising the security of the entire network it protects.

This vulnerability is a classic buffer overflow that exists in the formAdvFirewall function of the device's web management interface. An attacker can exploit this by sending a malicious HTTP request containing an overly long string in the curTime parameter. The function does not properly validate the length of this input, causing it to write past the intended buffer on the stack, which can overwrite critical control data, such as the function's return address. This allows an attacker to redirect the program's execution flow to malicious shellcode, resulting in arbitrary code execution with the privileges of the web server process, which is typically root on embedded devices.

This vulnerability is rated as High severity with a CVSS score of 7.5, posing a significant risk to the organization. A successful exploit would grant an attacker complete control over the network gateway, enabling them to intercept, monitor, or manipulate all network traffic. Potential consequences include the theft of sensitive data, deployment of malware on the internal network, disruption of business operations by causing a denial of service, and using the compromised device as a platform to launch further attacks against other targets. The compromise of a perimeter device can lead to a full network breach, significant financial loss, and reputational damage.

Immediate Action: Immediately identify all affected D-Link devices within the environment and apply the security updates provided by the vendor. Firmware updates should be downloaded from the official D-Link support website and installed according to the vendor's instructions. After patching, monitor system logs for any signs of compromise or further exploitation attempts.

Proactive Monitoring: System administrators should actively monitor for signs of exploitation. Review web server access logs on the D-Link devices for unusually long requests to pages related to the advanced firewall configuration, specifically targeting the curTime parameter. Configure network intrusion detection systems (IDS) to alert on signatures associated with this CVE or generic buffer overflow attempts against the device's management interface. Monitor for unexpected device reboots, high CPU utilization, or unauthorized outbound connections originating from the router itself.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Disable remote (WAN) access to the device's web administration interface.
• Restrict access to the management interface to a dedicated and trusted management network or specific IP addresses.
• Place the device behind a Web Application Firewall (WAF) or an IDS/IPS capable of detecting and blocking buffer overflow attack patterns.

Public Exploit Available: false

Given the high severity of this vulnerability (CVSS 7.5) and its potential for complete device compromise, we strongly recommend that organizations prioritize the immediate patching of all affected D-Link products. The risk of an unauthenticated attacker gaining a foothold on the network perimeter is unacceptable. Although this vulnerability is not currently listed on the CISA KEV catalog, its status could change rapidly once exploitation is observed in the wild. If patching cannot be performed immediately, the compensating controls listed above must be implemented without delay to mitigate the immediate threat.