SB2017090805 - Multiple vulnerabilities in D-Link DIR-850L
Published: September 8, 2017 Updated: January 23, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 19 vulnerabilities.
1) Security restrictions bypass (CVE-ID: CVE-2016-10179)
CWE-ID: CWE-259 - Use of Hard-coded Password
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to lack of proper firmware protection. A remote attacker can use a hardcoded password, gain access to the firmware and upload a new firmware to the router.
2) Cross-site scripting (CVE-ID: CVE-2017-14413)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal the authentication cookies and gain access to the device.
3) Information disclosure (CVE-ID: CVE-2017-14419)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to improper privileges and access controls. A remote attacker can retrieve admin password from routers, and use it to associate users' routers with their own MyDLink cloud accounts, effectively taking control over the device.
4) Information disclosure (CVE-ID: CVE-2017-14417)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to improper encryption by TCP tunnel in MyDLink cloud protocol. A remote attacker can view communications between the user's router and the MyDLink account.
5) Man-in-the-middle attack (CVE-ID: CVE-2017-14422)
CWE-ID: CWE-321 - Use of Hard-coded Cryptographic Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to conduct man-in-the-middle attack.
The weakness exists due to use of hardcoded private encryption keys for TCP tunnel. A remote attacker can extract these encryption keys and perform MitM attacks to read and modify arbitrary data on the system.
6) Backdoor (CVE-ID: CVE-2016-10178)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to the presence of backdoor code. A remote attacker can obtain passwords via the 'PUT' and 'GET' requests, use backdoor account via Alphanetworks / wrgac25_dlink.2013gui_dir850l to gain access to the router and update the firmware with a custom.
7) Security restrictions bypass (CVE-ID: CVE-2017-14423)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass security restrictions.
The weakness exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to bypass security restrictions, alter DNS settings and perform further routing and bruteforce attacks.
8) Information disclosure (CVE-ID: CVE-2017-14424)
CWE-ID: CWE-255 - Credentials Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to obtain potentially sensitive information.
The weakness exists due to storing of credentials in cleartext. A local attacker can view arbitrary file on the system.
9) Command injection (CVE-ID: CVE-2017-14429)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to gain elevated privileges.
The weakness exists due to command injection flaw in router's internal DHCP client. A remote attacker can inject and execute arbitrary commands to perform actions with root privileges.
10) Denial of service (CVE-ID: CVE-2017-14430)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to unspecified error. A remote attacker can cause router daemons to crash.
11) Information disclosure (CVE-ID: CVE-2017-14420)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to improper privileges and access controls. A remote attacker can retrieve admin password from routers, and use it to associate users' routers with their own MyDLink cloud accounts, effectively taking control over the device.
12) Information disclosure (CVE-ID: CVE-2017-14418)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to improper encryption by TCP tunnel in MyDLink cloud protocol. A remote attacker can view communications between the user's router and the MyDLink account.
13) Cross-site scripting (CVE-ID: CVE-2017-14416)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal the authentication cookies and gain access to the device.
14) Cross-site scripting (CVE-ID: CVE-2017-14415)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal the authentication cookies and gain access to the device.
15) Cross-site scripting (CVE-ID: CVE-2017-14414)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal the authentication cookies and gain access to the device.
16) Information disclosure (CVE-ID: CVE-2017-14428)
CWE-ID: CWE-255 - Credentials Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to obtain potentially sensitive information.
The weakness exists due to storing of credentials in cleartext. A local attacker can view arbitrary file on the system.
17) Information disclosure (CVE-ID: CVE-2017-14427)
CWE-ID: CWE-255 - Credentials Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to obtain potentially sensitive information.
The weakness exists due to storing of credentials in cleartext. A local attacker can view arbitrary file on the system.
18) Information disclosure (CVE-ID: CVE-2017-14426)
CWE-ID: CWE-255 - Credentials Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to obtain potentially sensitive information.
The weakness exists due to storing of credentials in cleartext. A local attacker can view arbitrary file on the system.
19) Information disclosure (CVE-ID: CVE-2017-14425)
CWE-ID: CWE-255 - Credentials Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to obtain potentially sensitive information.
The weakness exists due to storing of credentials in cleartext. A local attacker can view arbitrary file on the system.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.