Default password on Quagga Service (CVE-2021-20132)
CVSSv3 Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Base Score 8.8)
D-Link's DIR-2640 router, with the latest firmware (1.11B02) enables the Quagga network configuration services by default, with /sbin/zebra listening on tcp port 2601 and /sbin/ripd listening on tcp port 2602. These services are configured to use a default password for both accessing the command line interface and escalating privileges with the enable command. This password can be easily discovered, and used to gain complete control of both services, each of which are running with root privileges (that is, as the admin user, with UID 0).
Arbitrary file read and denial of service (CVE-2021-20133)
CVSSv3 Vector: AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H (Base Score 6.1)
An attacker can read a large portion of any text file on the filesystem (since the daemon runs with root privileges) by dropping into the configuration terminal interface and then setting the path for the "message of the day" banner to any file on the system. A sensitive file such as /etc/passwd can be declared the "message of the day" in this fashion, and read by the attacker when they next connect to the service.
This will set the "message of the day" banner to contents of /etc/passwd. By logging back in, the attacker can retrieve the contents of the file. Long filess may be displayed only in part, and binary data will likely be corrupted, but reasonably short text files in the ASCII encoding can be read in their entirety in this fashion.
If the attacker sets the "message of the day" path to a special device such as /dev/urandom, then they can bring about a denial of service to the Quagga cli interface.
Arbitrary file append (CVE-2021-20134)
CVSSv3 Vector: AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (Base Score 8.4)
An attacker can append to any file they wish in the Quagga command line interface by, again, entering the configuration terminal and then setting the path for the log file to any file they wish on the system. They can then issue a log message with the command logmsg alerts, which will be appended to the end of that file, following a short prefix. By appending to the end of a shell script, for instance, the attacker can achieve remote code execution as root (i.e., "admin"), so long as they are able to either trigger the execution of that script, or wait until the script is executed. This technique can be used to install a backdoor on the router.