Details of VAR-202308-3319

ID

VAR-202308-3319

CVE

CVE-2023-37325

TITLE

D-Link DAP-2622 DDP Set SSID List Missing Authentication Vulnerability

Trust: 0.7

sources: ZDI: ZDI-23-1280

DESCRIPTION

D-Link DAP-2622 DDP Set SSID List Missing Authentication Vulnerability. This vulnerability allows network-adjacent attackers to make unauthorized changes to device configuration on affected installations of D-Link DAP-2622 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DDP service. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to manipulate wireless authentication settings. Was ZDI-CAN-20104. D-Link DAP-2622 is a wireless access point device from D-Link, a Chinese company. No detailed vulnerability details are currently provided

Trust: 2.07

sources: NVD: CVE-2023-37325 // ZDI: ZDI-23-1280 // CNVD: CNVD-2024-24417

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-24417

AFFECTED PRODUCTS

vendor:	d link	model:	dap-2622	scope:	-	version:	-	Trust: 0.7
vendor:	d link	model:	dap-2622	scope:	eq	version:	*	Trust: 0.6

sources: ZDI: ZDI-23-1280 // CNVD: CNVD-2024-24417

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com:	CVE-2023-37325
value:	MEDIUM
Trust: 1.0
ZDI:	CVE-2023-37325
value:	MEDIUM
Trust: 0.7
CNVD:	CNVD-2024-24417
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2024-24417
severity:	MEDIUM
baseScore:	4.8
vectorString:	AV:A/AC:L/AU:N/C:N/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.5
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

zdi-disclosures@trendmicro.com:	CVE-2023-37325
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	2.5
version:	3.0
Trust: 1.0
ZDI:	CVE-2023-37325
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	2.5
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-23-1280 // CNVD: CNVD-2024-24417 // NVD: CVE-2023-37325

PROBLEMTYPE DATA

problemtype:

CWE-306

Trust: 1.0

sources: NVD: CVE-2023-37325

PATCH

title:	D-Link has issued an update to correct this vulnerability.	url:	https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10349	Trust: 0.7
title:	Patch for D-Link DAP-2622 has an unspecified vulnerability (CNVD-2024-24417)	url:	https://www.cnvd.org.cn/patchInfo/show/547376	Trust: 0.6

sources: ZDI: ZDI-23-1280 // CNVD: CNVD-2024-24417

EXTERNAL IDS

db:	NVD	id:	CVE-2023-37325	Trust: 2.3
db:	ZDI	id:	ZDI-23-1280	Trust: 1.7
db:	DLINK	id:	SAP10349	Trust: 1.0
db:	ZDI_CAN	id:	ZDI-CAN-20104	Trust: 0.7
db:	CNVD	id:	CNVD-2024-24417	Trust: 0.6

sources: ZDI: ZDI-23-1280 // CNVD: CNVD-2024-24417 // NVD: CVE-2023-37325

REFERENCES

url:	https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=sap10349	Trust: 1.7
url:	https://www.zerodayinitiative.com/advisories/zdi-23-1280/	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2023-37325	Trust: 0.6

sources: ZDI: ZDI-23-1280 // CNVD: CNVD-2024-24417 // NVD: CVE-2023-37325

CREDITS

Dmitry "InfoSecDJ" Janushkevich of Trend Micro Zero Day Initiative

Trust: 0.7

sources: ZDI: ZDI-23-1280

SOURCES

db:	ZDI	id:	ZDI-23-1280
db:	CNVD	id:	CNVD-2024-24417
db:	NVD	id:	CVE-2023-37325

LAST UPDATE DATE

2024-09-19T22:39:05.931000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-23-1280	date:	2024-05-03T00:00:00
db:	CNVD	id:	CNVD-2024-24417	date:	2024-05-27T00:00:00
db:	NVD	id:	CVE-2023-37325	date:	2024-09-18T19:15:30.727

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-23-1280	date:	2023-08-25T00:00:00
db:	CNVD	id:	CNVD-2024-24417	date:	2024-05-24T00:00:00
db:	NVD	id:	CVE-2023-37325	date:	2024-05-07T23:15:16.497