Overview
The D-Link DAP-1320 Rev Ax firmware update mechanism contains a command injection vulnerability.
Description
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') A remote unauthenticated attacker may execute commands on the device by taking advantage of the firmware update mechanism. This attack does require interception and manipulation of network communications using commonly available tools. |
Impact
A remote unauthenticated attacker may execute commands on the device by taking advantage of the firmware update mechanism. |
Solution
Update the firmware |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 7.8 | E:POC/RL:OF/RC:C |
| Environmental | 5.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Mike Baucom, Allen Harper, and J. Rach of Tangible Security for discovering and reporting this vulnerability. Tangible Security would also like to publically thank D-Link for their cooperation and desire to make their products and customers more secure.
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | CVE-2015-2050 |
| Date Public: | 2015-03-13 |
| Date First Published: | 2015-03-16 |
| Date Last Updated: | 2015-03-16 17:02 UTC |
| Document Revision: | 18 |