ID

VAR-202007-0871


CVE

CVE-2020-15632


TITLE

D-Link DIR-842 In the router Vulnerability in improper implementation of authentication algorithm

Trust: 0.8

sources: JVNDB: JVNDB-2020-008737

DESCRIPTION

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-842 3.13B05 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of HNAP GetCAPTCHAsetting requests. The issue results from the lack of proper handling of sessions. An attacker can leverage this vulnerability to execute arbitrary code in the context of the device. Was ZDI-CAN-10083. Zero Day Initiative To this vulnerability ZDI-CAN-10083 Was numbered.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. D-Link DIR-842 is a wireless router made by D-Link in Taiwan. There are security loopholes in the HNAP GetCAPTCHAsetting request processing process in D-Link DIR-842. The vulnerability stems from the network system or product not properly verifying the user's identity

Trust: 2.79

sources: NVD: CVE-2020-15632 // JVNDB: JVNDB-2020-008737 // ZDI: ZDI-20-880 // CNVD: CNVD-2020-44864

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-44864

AFFECTED PRODUCTS

vendor:dlinkmodel:dir-842scope:lteversion:3.13b09

Trust: 1.0

vendor:d linkmodel:dir-842scope:eqversion:3.13b05

Trust: 0.8

vendor:d linkmodel:dir-842scope: - version: -

Trust: 0.7

vendor:d linkmodel:dir-842 <=3.13b09scope: - version: -

Trust: 0.6

sources: ZDI: ZDI-20-880 // CNVD: CNVD-2020-44864 // JVNDB: JVNDB-2020-008737 // NVD: CVE-2020-15632

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-15632
value: HIGH

Trust: 1.0

zdi-disclosures@trendmicro.com: CVE-2020-15632
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-008737
value: HIGH

Trust: 0.8

ZDI: CVE-2020-15632
value: HIGH

Trust: 0.7

CNVD: CNVD-2020-44864
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202007-1302
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2020-15632
severity: MEDIUM
baseScore: 5.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-008737
severity: MEDIUM
baseScore: 5.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-44864
severity: MEDIUM
baseScore: 5.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-15632
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

zdi-disclosures@trendmicro.com: CVE-2020-15632
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-008737
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2020-15632
baseSeverity: HIGH
baseScore: 8.8
vectorString: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-20-880 // CNVD: CNVD-2020-44864 // JVNDB: JVNDB-2020-008737 // CNNVD: CNNVD-202007-1302 // NVD: CVE-2020-15632 // NVD: CVE-2020-15632

PROBLEMTYPE DATA

problemtype:CWE-303

Trust: 1.8

sources: JVNDB: JVNDB-2020-008737 // NVD: CVE-2020-15632

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202007-1302

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202007-1302

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-008737

PATCH

title:SAP10184url:https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10184

Trust: 1.5

title:Patch for D-Link DIR-842 authentication vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/229828

Trust: 0.6

sources: ZDI: ZDI-20-880 // CNVD: CNVD-2020-44864 // JVNDB: JVNDB-2020-008737

EXTERNAL IDS

db:NVDid:CVE-2020-15632

Trust: 3.7

db:ZDIid:ZDI-20-880

Trust: 2.9

db:DLINKid:SAP10184

Trust: 1.6

db:JVNDBid:JVNDB-2020-008737

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-10083

Trust: 0.7

db:CNVDid:CNVD-2020-44864

Trust: 0.6

db:NSFOCUSid:47669

Trust: 0.6

db:CNNVDid:CNNVD-202007-1302

Trust: 0.6

sources: ZDI: ZDI-20-880 // CNVD: CNVD-2020-44864 // JVNDB: JVNDB-2020-008737 // CNNVD: CNNVD-202007-1302 // NVD: CVE-2020-15632

REFERENCES

url:https://www.zerodayinitiative.com/advisories/zdi-20-880/

Trust: 2.8

url:https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=sap10184

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2020-15632

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-15632

Trust: 0.8

url:http://www.nsfocus.net/vulndb/47669

Trust: 0.6

sources: ZDI: ZDI-20-880 // CNVD: CNVD-2020-44864 // JVNDB: JVNDB-2020-008737 // CNNVD: CNNVD-202007-1302 // NVD: CVE-2020-15632

CREDITS

chung96vn - Security Researcher of VinCSS (Member of Vingroup)

Trust: 1.3

sources: ZDI: ZDI-20-880 // CNNVD: CNNVD-202007-1302

SOURCES

db:ZDIid:ZDI-20-880
db:CNVDid:CNVD-2020-44864
db:JVNDBid:JVNDB-2020-008737
db:CNNVDid:CNNVD-202007-1302
db:NVDid:CVE-2020-15632

LAST UPDATE DATE

2024-08-14T15:38:22.903000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-20-880date:2020-07-20T00:00:00
db:CNVDid:CNVD-2020-44864date:2020-08-07T00:00:00
db:JVNDBid:JVNDB-2020-008737date:2020-09-23T00:00:00
db:CNNVDid:CNNVD-202007-1302date:2020-08-12T00:00:00
db:NVDid:CVE-2020-15632date:2020-07-28T18:35:01.013

SOURCES RELEASE DATE

db:ZDIid:ZDI-20-880date:2020-07-20T00:00:00
db:CNVDid:CNVD-2020-44864date:2020-08-07T00:00:00
db:JVNDBid:JVNDB-2020-008737date:2020-09-23T00:00:00
db:CNNVDid:CNNVD-202007-1302date:2020-07-20T00:00:00
db:NVDid:CVE-2020-15632date:2020-07-23T21:15:11.970