A successful exploitation could cause the target device to crash and become inoperable.

The advisory states the following CVE has been assigned: CVE-2018-16865 A command injection flaw has been discovered in D-Link COVR v1.08 via the /admin/system_time_timezone parameter at function SetNTPServerSettings. A successful exploitation could cause the target device to crash and become inoperable. The advisory states the following CVE has been assigned: https://www.dlink.com/en/security/advisories/dlink-covr-v1-08-command-injection-vulnerability-and-cve-2018-16865.html

End users with control over the 'system_time_timezone' setting on the affected device can exploit this vulnerability to potentially cause a denial of service condition. - --------------------------- The 'system_time_timezone' value is also used during the installation process of D-Link COVR. An attacker can exploit this to inject and run arbitrary commands on the device during the installation process. - --------------------------- D-Link recommends users update to the latest version as soon as possible. VENDORS and product manufacturers need to work together to ensure their products are secure from the start.

Timeline

Published on: 10/13/2022 19:15:00 UTC
Last modified on: 10/18/2022 12:15:00 UTC

References