Details of VAR-201708-0276

ID

VAR-201708-0276

CVE

CVE-2014-7860

TITLE

D-Link DNS-320L and DNS-327L Vulnerability in information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2014-008366

DESCRIPTION

The web/web_file/fb_publish.php script in D-Link DNS-320L before 1.04b12 and DNS-327L before 1.03b04 Build0119 does not authenticate requests, which allows remote attackers to obtain arbitrary photos and publish them to an arbitrary Facebook profile via a target album_id and access_token. D-Link DNS-320L and DNS-327L Firmware contains information disclosure vulnerabilities and authentication vulnerabilities.Information may be obtained. D-link specializes in the design and development of wireless network and Ethernet road hardware products. Multiple authentication bypass vulnerabilities exist in multiple D-Link products. Allows an attacker to exploit the vulnerability to bypass the authentication mechanism and perform unauthorized operations on the affected device. This may aid in further attacks. D-Link DNS-320L and DNS-327L are D-Link company's cloud-enabled network storage. D-Link DNS-320L versions prior to 1.04b12 and DNS-327L versions prior to 1.03b04 Build0119 have a security vulnerability in the web/web_file/fb_publish.php script, which is caused by the program not authenticating the request. Overwiew -------- SEARCH-LAB performed an independent security assessment on four different D-Link devices. The assessment has identified altogether 53 unique vulnerabilities in the latest firmware (dated 30-07-2014). Several vulnerabilities can be abused by a remote attacker to execute arbitrary code and gain full control over the devices. We list below several of the problematic areas, where the most critical findings were discovered: - Authentication can be bypassed in several ways, allowing an attacker to take full control over the device without the need to exploit any programming or design bugs. - We found a few half-baked security workarounds to fix earlier vulnerabilities that introduced even more serious problems, leading to command injection and the possibility to take full control over the device. - Even though there were several security patches and workarounds in the session management part of the code, where we still found serious problems. It was still possible to perform unauthenticated file upload to an arbitrarily chosen location, which also lead to the possibility for an attacker to take full control over the device. - Default users (root, nobody) can be used during authentication, and the administrator cannot change the default (empty) password of these users from the user interface. Details and CVEs ---------------- For the specific details see our full report in [SL-ADV]. We suppose that some of the vulnerabilities were discovered by other researchers too, but we saw it reasonable and useful to publish our findings in such a comprehensive study. Naturally in the report we tried to find and reference all of the previous publications that may have found the same problems. We obtained the following CVE numbers for the above described vulnerabilities: - CVE-2014-7858: Check_login bypass vulnerability in DNR-326 - CVE-2014-7859: Buffer overflow in login_mgr.cgi and in file_sharing.cgi - CVE-2014-7860: Unauthenticated photo publish We also reported two other authentication bypass vulnerabilities (CVE-2014-7857) to D-Link; but since these problems have not been addressed correctly yet, we will only publish them after 22/06/2015. Affected devices ---------------- Main targeted devices during the assessment: - DNS-320, Revision A: 2.03, 13/05/2013 - DNS-320L, 1.03b04, 11/11/2013 - DNS-327L, 1.02, 02/07/2014 - DNR-326, 1.40b03, 7/19/2013 Other devices were influenced by one or more vulnerabilities: - DNS-320B, 1,02b01, 23/04/2014 - DNS-345, 1.03b06, 30/07/2014 - DNS-325, 1.05b03, 30/12/2013 - DNS-322L, 2.00b07 See [SL-ADV] for the complete vulnerability matrix at the time of the assessment. We note that other devices may also be vulnerable. Solution -------- Most of the vulnerabilities were fixed in: - DNS-320L 1.04.B12 - DNS-327L 1.03.B04 Some of the vulnerabilities were fixed in: - DNR-326 2.10.B03 - DNR-322L 2.10.B03 Besides installing the patches, where available, we highly recommend not to expose the web interface of the DNS and DNR devices to the internet. Since the devices use the UPnP feature, you should disable it in the router. Credits ------- These vulnerabilities were discovered and researched by Gergely Eberhardt (@ebux25) from SEARCH-LAB Ltd

Trust: 2.61

sources: NVD: CVE-2014-7860 // JVNDB: JVNDB-2014-008366 // CNVD: CNVD-2015-03605 // BID: 74884 // VULHUB: VHN-75805 // PACKETSTORM: 132075

IOT TAXONOMY

category:

['IoT', 'Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-03605

AFFECTED PRODUCTS

vendor:	d link	model:	dns-320l	scope:	lte	version:	1.03b04	Trust: 1.0
vendor:	d link	model:	dns-327l	scope:	lte	version:	1.02	Trust: 1.0
vendor:	d link	model:	dns-327l	scope:	eq	version:	1.02	Trust: 0.9
vendor:	d link	model:	d-link dns-320l	scope:	lt	version:	1.04b12	Trust: 0.8
vendor:	d link	model:	d-link dns-327l	scope:	lt	version:	1.03b04 build0119	Trust: 0.8
vendor:	d link	model:	router	scope:	-	version:	-	Trust: 0.6
vendor:	d link	model:	dns-320l	scope:	eq	version:	1.03b04	Trust: 0.6
vendor:	d link	model:	dns-320l 1.03b04	scope:	-	version:	-	Trust: 0.3
vendor:	d link	model:	dns-327l 1.03b04 build0119	scope:	ne	version:	-	Trust: 0.3
vendor:	d link	model:	dns-320l 1.04b12	scope:	ne	version:	-	Trust: 0.3

sources: CNVD: CNVD-2015-03605 // BID: 74884 // JVNDB: JVNDB-2014-008366 // CNNVD: CNNVD-201506-079 // NVD: CVE-2014-7860

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-7860
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-7860
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-03605
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201506-079
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-75805
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-7860
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-03605
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-75805
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2014-7860
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2015-03605 // VULHUB: VHN-75805 // JVNDB: JVNDB-2014-008366 // CNNVD: CNNVD-201506-079 // NVD: CVE-2014-7860

PROBLEMTYPE DATA

problemtype:	CWE-200	Trust: 1.9
problemtype:	CWE-287	Trust: 1.9

sources: VULHUB: VHN-75805 // JVNDB: JVNDB-2014-008366 // NVD: CVE-2014-7860

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 132075 // CNNVD: CNNVD-201506-079

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201506-079

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-008366

PATCH

title:	DNS-327L	url:	http://support.dlink.com/ProductInfo.aspx?m=DNS-327L	Trust: 0.8
title:	DNS-320L	url:	http://support.dlink.com/ProductInfo.aspx?m=DNS-320L	Trust: 0.8
title:	Multiple authentication bypass bugs for multiple D-Link products	url:	https://www.cnvd.org.cn/patchInfo/show/59305	Trust: 0.6
title:	D-Link DNS-320L and DNS-327L Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=234992	Trust: 0.6

sources: CNVD: CNVD-2015-03605 // JVNDB: JVNDB-2014-008366 // CNNVD: CNNVD-201506-079

EXTERNAL IDS

db:	NVD	id:	CVE-2014-7860	Trust: 3.5
db:	BID	id:	74884	Trust: 2.6
db:	PACKETSTORM	id:	132075	Trust: 1.8
db:	JVNDB	id:	JVNDB-2014-008366	Trust: 0.8
db:	CNNVD	id:	CNNVD-201506-079	Trust: 0.7
db:	CNVD	id:	CNVD-2015-03605	Trust: 0.6
db:	VULHUB	id:	VHN-75805	Trust: 0.1

sources: CNVD: CNVD-2015-03605 // VULHUB: VHN-75805 // BID: 74884 // JVNDB: JVNDB-2014-008366 // PACKETSTORM: 132075 // CNNVD: CNNVD-201506-079 // NVD: CVE-2014-7860

REFERENCES

url:	http://www.search-lab.hu/media/d-link_security_advisory_3_0_public.pdf	Trust: 2.9
url:	http://www.securityfocus.com/bid/74884	Trust: 2.3
url:	http://www.securityfocus.com/archive/1/535626/100/200/threaded	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2015/may/125	Trust: 1.7
url:	http://packetstormsecurity.com/files/132075/d-link-bypass-buffer-overflow.html	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2014-7860	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-7860	Trust: 0.8
url:	http://support.dlink.com/productinfo.aspx?m=dns-320l	Trust: 0.4
url:	http://support.dlink.com/productinfo.aspx?m=dns-327l	Trust: 0.4
url:	http://www.dlink.com/	Trust: 0.3
url:	http://support.dlink.com/productinfo.aspx?m=dns-345	Trust: 0.1
url:	http://support.dlink.com/productinfo.aspx?m=dns-320	Trust: 0.1
url:	http://support.dlink.com/productinfo.aspx?m=dns-325	Trust: 0.1
url:	http://support.dlink.com/productinfo.aspx?m=dnr-322l	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-7859	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-7858	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-7857	Trust: 0.1
url:	https://www.search-lab.hu)	Trust: 0.1
url:	http://support.dlink.com/productinfo.aspx?m=dnr-326	Trust: 0.1

sources: CNVD: CNVD-2015-03605 // VULHUB: VHN-75805 // BID: 74884 // JVNDB: JVNDB-2014-008366 // PACKETSTORM: 132075 // CNNVD: CNNVD-201506-079 // NVD: CVE-2014-7860

CREDITS

GergelyEberhardt (@ebux25) of SEARCH-LAB Ltd.

Trust: 0.9

sources: BID: 74884 // CNNVD: CNNVD-201506-079

SOURCES

db:	CNVD	id:	CNVD-2015-03605
db:	VULHUB	id:	VHN-75805
db:	BID	id:	74884
db:	JVNDB	id:	JVNDB-2014-008366
db:	PACKETSTORM	id:	132075
db:	CNNVD	id:	CNNVD-201506-079
db:	NVD	id:	CVE-2014-7860

LAST UPDATE DATE

2024-11-23T22:07:18.088000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-03605	date:	2015-06-05T00:00:00
db:	VULHUB	id:	VHN-75805	date:	2018-10-09T00:00:00
db:	BID	id:	74884	date:	2015-05-28T00:00:00
db:	JVNDB	id:	JVNDB-2014-008366	date:	2017-09-28T00:00:00
db:	CNNVD	id:	CNNVD-201506-079	date:	2023-04-27T00:00:00
db:	NVD	id:	CVE-2014-7860	date:	2024-11-21T02:18:09.380

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2015-03605	date:	2015-06-05T00:00:00
db:	VULHUB	id:	VHN-75805	date:	2017-08-25T00:00:00
db:	BID	id:	74884	date:	2015-05-28T00:00:00
db:	JVNDB	id:	JVNDB-2014-008366	date:	2017-09-28T00:00:00
db:	PACKETSTORM	id:	132075	date:	2015-05-28T13:03:33
db:	CNNVD	id:	CNNVD-201506-079	date:	2015-05-28T00:00:00
db:	NVD	id:	CVE-2014-7860	date:	2017-08-25T18:29:00.373