10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.003 Low
EPSS
Percentile
69.8%
The D-Link DAP-1320 Rev Ax firmware update mechanism contains a command injection vulnerability.
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
A remote unauthenticated attacker may execute commands on the device by taking advantage of the firmware update mechanism. This attack does require interception and manipulation of network communications using commonly available tools.
The D-Link DAP-1320 Rev Ax firmware version 1.11 (released 22 Dec 2013) has been shown to be vulnerable. Other firmware versions prior to version 1.21b05 may also be vulnerable.
A remote unauthenticated attacker may execute commands on the device by taking advantage of the firmware update mechanism.
Update the firmware
According to D-Link’s security advisory, users should update the firmware of affected devices to version 1.21b05.
184100
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: March 13, 2015
Affected
We have not received a statement from the vendor.
A firmware update is available from the vendor.
Group | Score | Vector |
---|---|---|
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 7.8 | E:POC/RL:OF/RC:C |
Environmental | 5.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Mike Baucom, Allen Harper, and J. Rach of Tangible Security for discovering and reporting this vulnerability. Tangible Security would also like to publically thank D-Link for their cooperation and desire to make their products and customers more secure.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2015-2050 |
---|---|
Date Public: | 2015-03-13 Date First Published: |