Details of VAR-201501-0347

ID

VAR-201501-0347

CVE

CVE-2014-100005

TITLE

D-Link DIR-600 Cross-site request forgery vulnerability in router firmware

Trust: 0.8

sources: JVNDB: JVNDB-2014-007601

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account or (2) enable remote management via a crafted configuration module to hedwig.cgi, (3) activate new configuration settings via a SETCFG,SAVE,ACTIVATE action to pigwidgeon.cgi, or (4) send a ping via a ping action to diagnostic.php. D-Link DIR-600 router (rev. (2) hedwig.cgi Remote administration can be enabled via a crafted configuration module. The D-Link DIR-600 is a wireless routing device. Because the program allows users to perform certain operations through unauthenticated HTTP requests, an attacker can exploit the vulnerability to modify the configuration when a logged-in administrative user accesses a specially crafted web page. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. D-Link DIR-600 is a SOHO wireless router product of D-Link

Trust: 2.52

sources: NVD: CVE-2014-100005 // JVNDB: JVNDB-2014-007601 // CNVD: CNVD-2014-01581 // BID: 66092 // VULHUB: VHN-68501

IOT TAXONOMY

category:

['IoT', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-01581

AFFECTED PRODUCTS

vendor:	d link	model:	dir-600	scope:	-	version:	-	Trust: 1.4
vendor:	dlink	model:	dir-600	scope:	lte	version:	2.16ww	Trust: 1.0
vendor:	d link	model:	dir-600	scope:	eq	version:	-	Trust: 0.8
vendor:	d link	model:	dir-600	scope:	eq	version:	firmware 2.17b02	Trust: 0.8
vendor:	d link	model:	dir-600	scope:	eq	version:	2.16ww	Trust: 0.6
vendor:	d link	model:	dir-600 2.16ww	scope:	-	version:	-	Trust: 0.3

sources: CNVD: CNVD-2014-01581 // BID: 66092 // JVNDB: JVNDB-2014-007601 // CNNVD: CNNVD-201403-571 // NVD: CVE-2014-100005

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-100005
value:	HIGH
Trust: 1.0
134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2014-100005
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-100005
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2014-01581
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201403-571
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-68501
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-100005
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-01581
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-68501
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2014-100005
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2014-100005
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.1
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2014-01581 // VULHUB: VHN-68501 // JVNDB: JVNDB-2014-007601 // CNNVD: CNNVD-201403-571 // NVD: CVE-2014-100005 // NVD: CVE-2014-100005

PROBLEMTYPE DATA

problemtype:	CWE-352	Trust: 1.1
problemtype:	Cross-site request forgery (CWE-352) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-68501 // JVNDB: JVNDB-2014-007601 // NVD: CVE-2014-100005

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201403-571

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201403-571

PATCH

title:	SAP10018	url:	http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10018	Trust: 0.8
title:	DIR-600_REVB_FIRMWARE_2.17.B02	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=57137	Trust: 0.6

sources: JVNDB: JVNDB-2014-007601 // CNNVD: CNNVD-201403-571

EXTERNAL IDS

db:	NVD	id:	CVE-2014-100005	Trust: 3.3
db:	SECUNIA	id:	57304	Trust: 2.3
db:	DLINK	id:	SAP10018	Trust: 2.0
db:	BID	id:	66092	Trust: 0.9
db:	JVNDB	id:	JVNDB-2014-007601	Trust: 0.8
db:	CNNVD	id:	CNNVD-201403-571	Trust: 0.7
db:	CNVD	id:	CNVD-2014-01581	Trust: 0.6
db:	XF	id:	91794	Trust: 0.6
db:	SEEBUG	id:	SSVID-89342	Trust: 0.1
db:	VULHUB	id:	VHN-68501	Trust: 0.1

sources: CNVD: CNVD-2014-01581 // VULHUB: VHN-68501 // BID: 66092 // JVNDB: JVNDB-2014-007601 // CNNVD: CNNVD-201403-571 // NVD: CVE-2014-100005

REFERENCES

url:	http://resources.infosecinstitute.com/csrf-unauthorized-remote-admin-access/	Trust: 3.4
url:	http://securityadvisories.dlink.com/security/publication.aspx?name=sap10018	Trust: 2.0
url:	http://secunia.com/advisories/57304	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/91794	Trust: 1.1
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-100005	Trust: 0.8
url:	https://cisa.gov/known-exploited-vulnerabilities-catalog	Trust: 0.8
url:	http://secunia.com/advisories/57304/	Trust: 0.6
url:	http://xforce.iss.net/xforce/xfdb/91794	Trust: 0.6
url:	http://www.securityfocus.com/bid/66092	Trust: 0.6
url:	http://www.dlink.com/	Trust: 0.3

sources: CNVD: CNVD-2014-01581 // VULHUB: VHN-68501 // BID: 66092 // JVNDB: JVNDB-2014-007601 // CNNVD: CNNVD-201403-571 // NVD: CVE-2014-100005

CREDITS

Dawid Czagan

Trust: 0.9

sources: BID: 66092 // CNNVD: CNNVD-201403-571

SOURCES

db:	CNVD	id:	CNVD-2014-01581
db:	VULHUB	id:	VHN-68501
db:	BID	id:	66092
db:	JVNDB	id:	JVNDB-2014-007601
db:	CNNVD	id:	CNNVD-201403-571
db:	NVD	id:	CVE-2014-100005

LAST UPDATE DATE

2024-12-20T22:56:09.408000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-01581	date:	2014-03-12T00:00:00
db:	VULHUB	id:	VHN-68501	date:	2017-09-08T00:00:00
db:	BID	id:	66092	date:	2014-03-10T00:00:00
db:	JVNDB	id:	JVNDB-2014-007601	date:	2024-05-31T06:43:00
db:	CNNVD	id:	CNNVD-201403-571	date:	2015-01-15T00:00:00
db:	NVD	id:	CVE-2014-100005	date:	2024-12-20T03:42:23.633

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-01581	date:	2014-03-12T00:00:00
db:	VULHUB	id:	VHN-68501	date:	2015-01-13T00:00:00
db:	BID	id:	66092	date:	2014-03-10T00:00:00
db:	JVNDB	id:	JVNDB-2014-007601	date:	2015-01-15T00:00:00
db:	CNNVD	id:	CNNVD-201403-571	date:	2014-03-10T00:00:00
db:	NVD	id:	CVE-2014-100005	date:	2015-01-13T11:59:04.477