CERTVU:677427D-Link routers HNAP service contains stack-based buffer overflow
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.967 High
EPSS
Percentile
99.7%
Overview
D-Link DIR routers contain a stack-based buffer overflow in the HNAP Login action.
Description
CWE-121:Stack-based Buffer Overflow - CVE-2016-6563
Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha.
CVE-2016-6563 appears to affect:
* DIR-823
* DIR-822
* DIR-818L(W)
* DIR-895L
* DIR-890L
* DIR-885L
* DIR-880L
* DIR-868L
* DIR-850L
Impact
A remote, unauthenticated attacker may be able to execute arbitrary code with root privileges.
Solution
Apply an update
D-Link has released firmware updates to address the vulnerabilities in affected routers. Please see their announcement.
If you are unable to update your device, please see the following workarounds:
Restrict Access
As a general good security practice, only allow connections from trusted hosts and networks. Additionally, you may wish to disable remote administration of the router.
Vendor Information
677427
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
D-Link Systems, Inc. Affected
Notified: September 12, 2016 Updated: October 27, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
| Temporal | 8 | E:POC/RL:W/RC:ND |
| Environmental | 6.0 | CDP:N/TD:M/CR:ND/IR:ND/AR:ND |
References
- <http://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10066>
- <https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-hnap-login.txt>
- <https://cwe.mitre.org/data/definitions/121.html>
Acknowledgements
Thanks to Pedro Ribeiro ([email protected]) of Agile Information Security for reporting this vulnerability.
This document was written by Trent Novelly.
Other Information
| CVE IDs: | CVE-2016-6563 |
|---|---|
| Date Public: | 2016-11-07 Date First Published: |
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.967 High
EPSS
Percentile
99.7%