CVE-2017-8417

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device requires that a user logging into the device provide a username and password. However, the device allows D-Link apps on the mobile devices and desktop to communicate with the device without any authentication. As a part of that communication, the device uses custom version of base64 encoding to pass data back and forth between the apps and the device. However, the same form of communication can be initiated by any process including an attacker process on the mobile phone or the desktop and this allows a third party to retrieve the device's password without any authentication by sending just 1 UDP packet with custom base64 encoding. The severity of this attack is enlarged by the fact that there more than 100,000 D-Link devices out there.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:dlink:dcs-1100_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dcs-1100:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:dlink:dcs-1130_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dcs-1130:-:*:*:*:*:*:*:*

History

21 Nov 2024, 03:34

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html - Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html - Third Party Advisory, VDB Entry
References () https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf - Exploit, Third Party Advisory () https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf - Exploit, Third Party Advisory
References () https://seclists.org/bugtraq/2019/Jun/8 - Mailing List, Third Party Advisory () https://seclists.org/bugtraq/2019/Jun/8 - Mailing List, Third Party Advisory

Information

Published : 2019-07-02 21:15

Updated : 2024-11-21 03:34


NVD link : CVE-2017-8417

Mitre link : CVE-2017-8417

CVE.ORG link : CVE-2017-8417


JSON object : View

Products Affected

dlink

  • dcs-1100_firmware
  • dcs-1100
  • dcs-1130_firmware
  • dcs-1130
CWE
CWE-255

Credentials Management Errors