The editors of the German IT magazine CHIP together with the experts from IoT Inspector (who provided their security platform for automated IoT firmware checks) conducted a major security test that uncovered vulnerabilities in all common Wi-Fi routers.
Nine Wi-Fi routers from well-known manufacturers underwent a thorough security test under laboratory conditions. Check out the devastating results in the field of IT security: A total of 226 potential security vulnerabilities were found in the devices from Asus, AVM, D-Link, Netgear, Edimax, TP Link, Synology and Linksys, which are in circulation by the millions. The front-runners were devices from TP-Link with 32 vulnerabilities (TP-Link Archer AX6000) and Synology with 30 vulnerabilities (Synology RT-2600ac).
CVE-2021-45382 is a Remote Code Execution (RCE) vulnerability that exists in all series H/W revisions D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file.
DDNS (Dynamic Domain Name System) is a function that allows systems to overcome the issues related to Dynamic IP Addresses, in attempting to connect to a resource somewhere on the Internet whose IP address may change at any time.
The ncc2 service on the affected devices allows for basic firmware and language file upgrades via the web interface. The ncc2 service on the affected devices appears to have been shipped with a number of diagnostic hooks available. Unfortunately, these hooks are able to be called without authentication. The necessary resources do not exist on the filesystem of the device, nor do they appear to be static. Instead, these files appear to be rendered when queried and can be used to both interrogate the given device for information, as well as enable diagnostic services on demand.
As far as mitigation, it seems best to replace the affected models with a more secure device. Recently CISA gave a similar advice for the D-Link DIR-610 and DIR-645, as well as for the Netgear DGN2200. A Proof of Concept (PoC) is publicly available on GitHub, which makes it trivial for anyone with malicious intentions to take control of the vulnerable routers.