Main Vulnerability Database Vulnerabilities #VU25573

Incorrect Comparison in D-Link products - CVE-2020-8864

Published: February 25, 2020

Vulnerability identifier: #VU25573

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-8864

CWE-ID: CWE-697

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: D-Link

Affected software:
DIR-867-US
DIR-878
DIR-882-US

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to a lack of proper handling of empty passwords within the handling of HNAP strncmp login requests. A remote attacker on the local network can bypass authentication and reset the admin password.

An attacker can leverage this vulnerability to execute arbitrary code on the router.

How to mitigate CVE-2020-8864

Install updates from vendor's website.

Sources

https://www.zerodayinitiative.com/advisories/ZDI-20-268/
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10157

Incorrect Comparison in D-Link products - CVE-2020-8864

Detailed vulnerability description

How to mitigate CVE-2020-8864

Sources

Please verify you're human