The command injection can be exploited by issuing a request to set a custom WPS pin. An attacker can exploit the command injection to change the WPS pin in the device and then use the misconfigured router as an access point to exfiltrate data from the network.

The vulnerability is located in the D-Link COVR v1.08 firmware. The command injection can be exploited by a remote unauthenticated attacker.

Workaround: Update to the latest version of the D-Link COVR firmware.

D-Link Xtreme N 605(v1) contains multiple issues that can be exploited by malicious users to conduct various attacks:

1. The web management interface of the D-Link Xtreme N 605(v1) does not strip out the “Password” parameter when importing a configuration file. This results in a configuration file containing the password to the device being imported into the management interface.

2. D-Link Xtreme N 605(v1) does not validate CSRF tokens during login. An attacker can send a request that appears to be from the management interface and the request will be processed.

3. D-Link Xtreme N 605(v1) does not verify X.509 certificates during SSL communication. An attacker can forge a certificate and send the request to the management interface and the request will be processed.

4. D-Link

D-Link Xtreme N 605(v1) does not validate HTTP requests properly. An attacker can send a request that appears to be from the management interface and the request will be processed.

5. D-Link Xtreme N 605 (v1) does not verify the server identity during an SSL communication. An attacker can forge a certificate and send the request to the management interface and the request will be processed.

6. D-Link Xtreme N 605 (v1) does not enforce HTTPS on its web management interface. This can allow man-in-the-middle attackers to perform a man-in-the-middle attack with high success rates, which are dependent on the type of cipher being used by the management interface and whether it is using HTTP or HTTPS.

The vulnerability is located in the D-Link COVR v1.08 firmware. The command injection can be exploited by a remote unauthenticated attacker.

Workaround: Update to the latest version of the D-Link COVR firmware.

D-Link Xtreme N 605(v1) contains multiple issues that can be exploited by malicious users to conduct various attacks:

1. The web management interface of the D-Link Xtreme N 605(v1) does not strip out the “Password” parameter when importing a configuration file. This results in a configuration file containing the password to the device being imported into the management interface.
2. D-Link Xtreme N 605(v1) does not validate CSRF tokens during login. An attacker can send a request that appears to be from the management interface and the request will be processed.
3. D-Link Xtreme N 605(v1) does not verify X.509 certificates during SSL communication. An attacker can forge a certificate and send the request to the management interface and the request will be processed.

D-Link Xtreme N 605 V2 (and newer) have been patched to fix these vulnerabilities.

Workaround: Update to the latest version of the D-Link Xtreme N 605 firmware.

D-Link Xtreme N 605(v1) contains multiple vulnerabilities that can be exploited by malicious users to conduct various attacks.

1. The web management interface of the D-Link Xtreme N 605(v1) does not strip out the “Password” parameter when importing a configuration file. This results in a configuration file containing the password to the device being imported into the management interface.
2. D-Link Xtreme N 605(v1) does not validate CSRF tokens during login. An attacker can send a request that appears to be from the management interface and the request will be processed.
3. D-Link Xtreme N 605(v1) does not verify X.509 certificates during SSL communication. An attacker can forge a certificate and send the request to the management interface and the request will be processed.
4. D-Link

Timeline

Published on: 10/13/2022 19:15:00 UTC
Last modified on: 10/18/2022 12:14:00 UTC

References