Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:184100
HistoryMar 16, 2015 - 12:00 a.m.

D-Link DAP-1320 Rev Ax is vulnerable to a command injection

2015-03-1600:00:00
www.kb.cert.org
11

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

69.8%

JSON

Overview

The D-Link DAP-1320 Rev Ax firmware update mechanism contains a command injection vulnerability.

Description

CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

A remote unauthenticated attacker may execute commands on the device by taking advantage of the firmware update mechanism. This attack does require interception and manipulation of network communications using commonly available tools.

The D-Link DAP-1320 Rev Ax firmware version 1.11 (released 22 Dec 2013) has been shown to be vulnerable. Other firmware versions prior to version 1.21b05 may also be vulnerable.

Impact

A remote unauthenticated attacker may execute commands on the device by taking advantage of the firmware update mechanism.

Solution

Update the firmware

According to D-Link’s security advisory, users should update the firmware of affected devices to version 1.21b05.

Vendor Information

184100

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

D-Link Systems, Inc. __ Affected

Updated: March 13, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

A firmware update is available from the vendor.

Vendor References

CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:C
Environmental 5.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Mike Baucom, Allen Harper, and J. Rach of Tangible Security for discovering and reporting this vulnerability. Tangible Security would also like to publically thank D-Link for their cooperation and desire to make their products and customers more secure.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-2050
Date Public: 2015-03-13 Date First Published:

Related

cvelist 1
openvas 1
prion 1
cve 1
nvd 1
cvelist
cvelist
CVE-2015-2050
2015-02-23 17:00:00
openvas
openvas
D-Link DAP-1320 < 1.21b05 RCE Vulnerability
2023-04-19 00:00:00
prion
prion
Command injection
2015-02-23 17:59:00
cve
cve
CVE-2015-2050
2015-02-23 17:59:07
nvd
nvd
CVE-2015-2050
2015-02-23 17:59:07

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

69.8%

JSON
Related for VU:184100
cvelist1openvas1prion1cve1nvd1