Details of VAR-201907-1077

ID

VAR-201907-1077

CVE

CVE-2017-8417

TITLE

D-Link DCS-1100 and DCS-1130 Vulnerability in certificate / password management on devices

Trust: 0.8

sources: JVNDB: JVNDB-2017-014552

DESCRIPTION

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device requires that a user logging into the device provide a username and password. However, the device allows D-Link apps on the mobile devices and desktop to communicate with the device without any authentication. As a part of that communication, the device uses custom version of base64 encoding to pass data back and forth between the apps and the device. However, the same form of communication can be initiated by any process including an attacker process on the mobile phone or the desktop and this allows a third party to retrieve the device's password without any authentication by sending just 1 UDP packet with custom base64 encoding. The severity of this attack is enlarged by the fact that there more than 100,000 D-Link devices out there. D-Link DCS-1100 and DCS-1130 The device contains a certificate / password management vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. The D-LinkDCS-1100 and D-LinkDCS-1130 are both network cameras from D-Link Corporation of Taiwan, China. A cross-site request forgery vulnerability exists in the D-LinkDCS-1100 and DCS-1130. The attacker can use the vulnerability to access the management interface by sending a simple UDP packet to view the captured image

Trust: 2.34

sources: NVD: CVE-2017-8417 // JVNDB: JVNDB-2017-014552 // CNVD: CNVD-2019-23334 // VULHUB: VHN-116620 // VULMON: CVE-2017-8417

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-23334

AFFECTED PRODUCTS

vendor:	d link	model:	dcs-1130	scope:	-	version:	-	Trust: 1.4
vendor:	d link	model:	dcs-1100	scope:	-	version:	-	Trust: 1.4
vendor:	dlink	model:	dcs-1130	scope:	eq	version:	-	Trust: 1.0
vendor:	dlink	model:	dcs-1100	scope:	eq	version:	-	Trust: 1.0

sources: CNVD: CNVD-2019-23334 // JVNDB: JVNDB-2017-014552 // NVD: CVE-2017-8417

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-8417
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-8417
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-23334
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201907-119
value:	HIGH
Trust: 0.6
VULHUB:	VHN-116620
value:	LOW
Trust: 0.1
VULMON:	CVE-2017-8417
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2017-8417
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2019-23334
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-116620
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-8417
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2017-8417
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2019-23334 // VULHUB: VHN-116620 // VULMON: CVE-2017-8417 // JVNDB: JVNDB-2017-014552 // CNNVD: CNNVD-201907-119 // NVD: CVE-2017-8417

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.9

sources: VULHUB: VHN-116620 // JVNDB: JVNDB-2017-014552 // NVD: CVE-2017-8417

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201907-119

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201907-119

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-014552

PATCH

title:	Top Page	url:	https://www.dlink.com/en/consumer	Trust: 0.8
title:	IoT_vulnerabilities	url:	https://github.com/ethanhunnt/IoT_vulnerabilities	Trust: 0.1

sources: VULMON: CVE-2017-8417 // JVNDB: JVNDB-2017-014552

EXTERNAL IDS

db:	NVD	id:	CVE-2017-8417	Trust: 3.3
db:	PACKETSTORM	id:	153226	Trust: 1.9
db:	JVNDB	id:	JVNDB-2017-014552	Trust: 0.8
db:	CNNVD	id:	CNNVD-201907-119	Trust: 0.7
db:	CNVD	id:	CNVD-2019-23334	Trust: 0.6
db:	VULHUB	id:	VHN-116620	Trust: 0.1
db:	VULMON	id:	CVE-2017-8417	Trust: 0.1

sources: CNVD: CNVD-2019-23334 // VULHUB: VHN-116620 // VULMON: CVE-2017-8417 // JVNDB: JVNDB-2017-014552 // PACKETSTORM: 153226 // CNNVD: CNNVD-201907-119 // NVD: CVE-2017-8417

REFERENCES

url:	https://github.com/ethanhunnt/iot_vulnerabilities/blob/master/dlink_dcs_1130_security.pdf	Trust: 2.6
url:	http://packetstormsecurity.com/files/153226/dlink-dcs-1130-command-injection-csrf-stack-overflow.html	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8417	Trust: 2.1
url:	https://seclists.org/bugtraq/2019/jun/8	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-8417	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/255.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/ethanhunnt/iot_vulnerabilities	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8408	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8413	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8405	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8406	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8410	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8412	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8409	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8415	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8404	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8416	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8411	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8407	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2017-8414	Trust: 0.1

CREDITS

Mandar Satam

Trust: 0.1

sources: PACKETSTORM: 153226

SOURCES

db:	CNVD	id:	CNVD-2019-23334
db:	VULHUB	id:	VHN-116620
db:	VULMON	id:	CVE-2017-8417
db:	JVNDB	id:	JVNDB-2017-014552
db:	PACKETSTORM	id:	153226
db:	CNNVD	id:	CNNVD-201907-119
db:	NVD	id:	CVE-2017-8417

LAST UPDATE DATE

2024-11-23T21:37:04.986000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-23334	date:	2019-07-19T00:00:00
db:	VULHUB	id:	VHN-116620	date:	2019-07-08T00:00:00
db:	VULMON	id:	CVE-2017-8417	date:	2021-04-26T00:00:00
db:	JVNDB	id:	JVNDB-2017-014552	date:	2019-07-09T00:00:00
db:	CNNVD	id:	CNNVD-201907-119	date:	2021-04-27T00:00:00
db:	NVD	id:	CVE-2017-8417	date:	2024-11-21T03:34:00.100

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-23334	date:	2019-07-18T00:00:00
db:	VULHUB	id:	VHN-116620	date:	2019-07-02T00:00:00
db:	VULMON	id:	CVE-2017-8417	date:	2019-07-02T00:00:00
db:	JVNDB	id:	JVNDB-2017-014552	date:	2019-07-09T00:00:00
db:	PACKETSTORM	id:	153226	date:	2019-06-07T15:06:02
db:	CNNVD	id:	CNNVD-201907-119	date:	2019-07-02T00:00:00
db:	NVD	id:	CVE-2017-8417	date:	2019-07-02T21:15:10.633