CVE-2020-8862

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the lack of proper password checking. An attacker can leverage this vulnerability to execute arbitrary code in the context of root. Was ZDI-CAN-10082.

Recent assessments:

kevthehermit at February 22, 2020 2:23pm UTC reported:

This appliance is targetted towards small to medium enterprise which means it more valuable to an attacker than attacks against home user equipment.

If compromised access to this device could be used to perform network-level compromise via DNS attacks or reveal sensitive information about the network.

It requires local network access in order to exploit the vulnerability. This device lists “Guest access control” as one of its features so depending on its configuration Local access my be available.

Devices like APs and embedded devices are often overlooked when applying security updates and patches.

At the time of analysis, there is no firmware update available to remediate the vulnerability although POC code does not yet appear to be publicly available.

Despite the absence of available POC code it is trivial to download the firmware and extract the files system. A determined attacker could then identify the exploit manually.

Assessed Attacker Value: 1
Assessed Attacker Value: 1Assessed Attacker Value: 2