Vulnerability Note VU#553503
D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass and do not protect credentials
Original Release date: 15 Mar 2017 | Last revised: 24 Mar 2017

Overview
The D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass of the remote login page, and do not sufficiently protect administrator credentials.

Description
The D-Link DIR-130, firmware version 1.23, and DIR-330, firmware version 1.12, are vulnerable to the following:
CWE-294: Authentication Bypass by Capture-replay – CVE-2017-3191

A remote attacker that can access the remote management login page can manipulate the POST request in such a manner as to access some administrator-only pages such as tools_admin.asp without credentials.

CWE-522: Insufficiently Protected CredentialsCVE-2017-3192

The tools_admin.asp page discloses the administrator password in base64 encoding in the returned web page.

A remote attacker with access to this page (potentially through a authentication bypass such as CVE-2017-3191) may obtain administrator credentials for the device.

D-Link has confirmed these issues to the CERT/CC.

Other D-Link models may be affected by these issues, but were not tested by the reporter or the CERT/CC.

CERT/CC has received a report that the DIR-655 may also be impacted, but has not verified it at this time.

Impact
A remote attacker may be able to obtain administrator credentials and access administrator functionality of the device.

Solution
The CERT/CC is currently unaware of a practical solution to this problem.

Affected users may consider the following workaround:
Restrict Access

As a general good security practice, only allow connections from trusted hosts and networks.

Additionally, you may wish to disable remote administration of the router.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedD-Link Systems, Inc.Affected25 Jan 201707 Mar 2017If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
9.0
E:POC/RL:U/RC:C

Environmental
6.7
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://cwe.mitre.org/data/definitions/294.html
http://cwe.mitre.org/data/definitions/522.html

Credit

Thanks to James Edge for reporting this vulnerability.
This document was written by Garret Wassermann.

Other Information

CVE IDs:
CVE-2017-3191
CVE-2017-3192

Date Public:
15 Mar 2017

Date First Published:
15 Mar 2017

Date Last Updated:
24 Mar 2017

Document Revision:
30

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply