Incorrect Implementation of Authentication Algorithm in D-Link products - CVE-2020-8863
Published: February 25, 2020
Vulnerability identifier: #VU25572
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-8863
CWE-ID: CWE-303
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: D-Link
Affected software:
DIR-867-US
DIR-878
DIR-882-US
DIR-867-US
DIR-878
DIR-882-US
Detailed vulnerability description
The vulnerability allows a remote attacker to to bypass authentication process.
The vulnerability exists due to a lack of proper implementation of the authentication algorithm within the handling of HNAP PrivateLogin login requests. A remote attacker on the local network can bypass authentication and reset the admin password.
An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the router.
How to mitigate CVE-2020-8863
Install updates from vendor's website.