Incorrect Access Control in D-Link DIR-2640-US Router
CVE-2021-34203

8.1HIGH

Key Information:

Vendor
D-Link
Status
Dir-2640-us Firmware
Vendor
CVE Published:
16 June 2021

Summary

The D-Link DIR-2640-US router is vulnerable to an Incorrect Access Control issue that arises when the router is configured for PPPoE. This flaw allows the quagga process to be initiated, enabling potential attackers to gain access through telnet using the default password and port settings. Once compromised, an attacker can manipulate routing information, monitor all network traffic, and execute DNS hijacking or phishing attacks. Furthermore, the public exposure of this interface raises concerns about potential backdoors, as it is not intended to be accessible.

References

http://d-link.com
x_refsource_MISC
https://www.dlink.com/en/security-bulletin/
x_refsource_MISC
http://dir-2640-us.com
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.