Memory Corruption in D-Link DCS-1100 and DCS-1130 Devices
CVE-2017-8414

7.8HIGH

Key Information:

Vendor
D-Link
Status
Dcs-1100 Firmware
Vendor
CVE Published:
2 July 2019

Summary

A vulnerability has been identified in D-Link DCS-1100 and DCS-1130 devices, where the binary 'orthrus' in the /sbin directory mishandles UPnP connections. Specifically, a faulty sprintf operation allows input to overflow the stack due to missing length validation, leading to potential memory corruption. Attackers could exploit this flaw to manipulate device states or execute arbitrary code, posing significant security threats to users relying on these IoT devices.

References

https://seclists.org/bugtraq/2019/Jun/8
mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/153226/Dlink-DCS-113...
x_refsource_MISC
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/ma...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.