search menu icon-carat-right cmu-wordmark

CERT Coordination Center


D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass and do not protect credentials

Vulnerability Note VU#553503

Original Release Date: 2017-03-15 | Last Revised: 2017-03-24

Overview

The D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass of the remote login page, and do not sufficiently protect administrator credentials.

Description

The D-Link DIR-130, firmware version 1.23, and DIR-330, firmware version 1.12, are vulnerable to the following:

CWE-294: Authentication Bypass by Capture-replay - CVE-2017-3191

A remote attacker that can access the remote management login page can manipulate the POST request in such a manner as to access some administrator-only pages such as tools_admin.asp without credentials.

CWE-522: Insufficiently Protected Credentials - CVE-2017-3192

The tools_admin.asp page discloses the administrator password in base64 encoding in the returned web page. A remote attacker with access to this page (potentially through a authentication bypass such as CVE-2017-3191) may obtain administrator credentials for the device.

D-Link has confirmed these issues to the CERT/CC.

Other D-Link models may be affected by these issues, but were not tested by the reporter or the CERT/CC. CERT/CC has received a report that the DIR-655 may also be impacted, but has not verified it at this time.

Impact

A remote attacker may be able to obtain administrator credentials and access administrator functionality of the device.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Affected users may consider the following workaround:

Restrict Access

As a general good security practice, only allow connections from trusted hosts and networks. Additionally, you may wish to disable remote administration of the router.

Vendor Information

553503
Expand all

D-Link Systems, Inc.

Notified:  January 25, 2017 Updated:  March 07, 2017

Statement Date:   March 03, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9.0 E:POC/RL:U/RC:C
Environmental 6.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to James Edge for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2017-3191, CVE-2017-3192
Date Public: 2017-03-15
Date First Published: 2017-03-15
Date Last Updated: 2017-03-24 17:02 UTC
Document Revision: 30

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.