Command Injection Vulnerability in D-Link DCS-1130 Devices
CVE-2017-8404

9.8CRITICAL

Key Information:

Vendor
D-Link
Status
Dcs-1130 Firmware
Vendor
CVE Published:
2 July 2019

Summary

A command injection vulnerability has been identified in D-Link DCS-1130 devices, allowing attackers to exploit insecure handling of POST parameters. The issue arises when users set an SMB folder for video clippings, where input values are processed improperly, leading to command injection through a vulnerable system API. When specific POST parameters, particularly 'receiver1', are submitted, they are passed directly to the vulnerable function in the device's library 'libmailutils.so', resulting in unauthorized command execution. This affects the device's integrity and poses significant security risks, especially within IoT environments where such vulnerabilities are often targeted.

References

https://seclists.org/bugtraq/2019/Jun/8
mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/153226/Dlink-DCS-113...
x_refsource_MISC
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/ma...
x_refsource_MISC

EPSS Score

21% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.