Command Injection Vulnerability in D-Link DCS-1100 and DCS-1130 Devices
CVE-2017-8413

8.8HIGH

Key Information:

Vendor
D-Link
Status
Dcs-1130 Firmware
Vendor
CVE Published:
2 July 2019

Summary

A security issue exists in D-Link DCS-1100 and DCS-1130 devices due to a vulnerability in the custom daemon that listens for UDP packets. Exploitation can occur through specially crafted packets sent to the broadcast address (255.255.255.255), allowing an attacker to execute arbitrary commands on the device. By leveraging a base64 encoded command in the packet payload, an unauthorized user can manipulate the device without any form of authentication, potentially leading to significant security breaches in local networks.

References

https://seclists.org/bugtraq/2019/Jun/8
mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/153226/Dlink-DCS-113...
x_refsource_MISC
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/ma...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.