Vulners
Lucene search
D-Link DIR-601 Failed Password Change Control Vulnerability
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | The vulnerability of D-Link DIR-601 router’s microprogramming software allows a hacker to circumvent existing security restrictions. | 7 Jun 202300:00 | – | bdu_fstec |
 | Information Disclosure Vulnerability in D-Link DIR-601 | 8 May 201800:00 | – | cnvd |
 | CVE-2018-10641 | 4 May 201803:00 | – | cve |
 | CVE-2018-10641 | 4 May 201803:00 | – | cvelist |
 | EUVD-2018-2713 | 7 Oct 202500:30 | – | euvd |
 | CVE-2018-10641 | 4 May 201803:29 | – | nvd |
 | CVE-2018-10641 | 4 May 201803:29 | – | osv |
 | Default credentials | 4 May 201803:29 | – | prion |
 | PT-2018-3908 · D Link · D-Link Dir-601 | 3 May 201800:00 | – | ptsecurity |
[Suggested description]
D-Link DIR-601 A1 1.02NA devices do not require the old password for a
password change, which occurs in cleartext.
------------------------------------------
[Additional Information]
Insecure Authentication Practices in D-LINK DIR-601 Router, Hardware
version A1, Firmware Version 1.02NA
When logging into the router, the authentication module passes the
username and password BASE64 encoded vice encrypted. When changing the
password a) no current password is required; and b) it passes the new
password and username in plain text. There is also no support for
HTTPS connections to the router.
Due to no schedule viability D-Link asks that two items are mentioned in
disclosure:
a) For this out of service router, users are encouraged too used DD-WRT
firmware here <http://www.dd-wrt.com/site/support/router-database>
b) They can contact [email protected] for the latest information on
updates.
------------------------------------------
[VulnerabilityType Other]
Weak Authentication and No HTTPS support
------------------------------------------
[Vendor of Product]
D-Link
------------------------------------------
[Affected Product Code Base]
DIR 601 - Hardware A1, Firmware 1.02NA
------------------------------------------
[Affected Component]
Login, Password Changing
------------------------------------------
[Attack Type]
Context-dependent
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
To exploit this, an attacker must have a proxy or man-in-the-middle attack
completed and be able to discern the URLs to intercept passed parameters.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Remediation]
Due to no schedule viability D-Link asks that two items are mentioned in
disclosure:
a) For this out of service router, users are encouraged too used DD-WRT
firmware here
b) They can contact [email protected] for the latest information on
updates.
------------------------------------------
[References]
http://us.dlink.com/security-advisories/
<http://us.dlink.com/security-advisories/>
https://advancedpersistentsecurity.net/cve-2018-10641/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10641
Joe Gray
# 0day.today [2018-05-07] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 May 2018 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.02127