FIRMADYNE CVE-2016-1558 & CVE-2016-1559

onsdag 16 mars 2016 09:36

Overview

ZERO - DAY: Researchers at Carnegie Mellon and Boston universities used an open-source framework to perform dynamic security analysis on embedded firmware.  Two issues affect D-Link:

ISSUES

1) Buffer overflow: The web server for D-Link Access Points has a buffer overflow vulnerability triggered while parsing the dlink _uid cookie (CVE-2016-1558)

Impact: APs may be exposed to possibilities leading to abnormal operation such as the Web Manage page not allowing login. This means the user cannot adjust the settings of the device and other functions under the Web Manager. However, this does not lead to remote code execution and a hacker cannot take control of the device, gain passwords or any other illegal entry to the network through this vulnerability.  

2) Password/ Username Exposure through SNMP: For 3 D-Link Access Points (DAP-1353 H/W ver. B1, DAP-2553 H/W ver. A1, DAP-3520 H/W ver. A1), the administrative username/password is exposed through SNMP OID strings. CVE-2016-1559. 

Impact : The SNMP OID string text containing the password/username can only be accessed if the following 3 conditions are met: 1) SNMP protocol is enabled. 2) the device administrator is performing management tasks through SNMP. 3) The attacker sniffs out the correct packets to obtain the password/username. Please note that not all D-Link access points have the SNMP protocol enabled by default. 

References

General Recommendations

Immediately update to the fixed firmware referenced in the table below as they are made available. Please continue to monitor this page for further updates and disclosures.

Affected Product

1) Firmware updates for the OVERFLOW issue are to be released before Mid April. 

Model Name

Affected Firmware

FW Version Fix for Exploit

DAP-2230

1.02 or earlier 

FW: 1.03

DAP-2310

2.06 or earlier

FW: 2.07

DAP-2330  1.06 or earlier  FW: 1.07 

DAP-2360

2.06 or earlier

FW: 2.07

DAP-2553 H/W ver. B1

3.05 or earlier

FW: 3.06

DAP-2660

1.11 or earlier

FW: 1.13

DAP-2690

3.15 or earlier

FW: 3.16

DAP-2695

1.16 or earlier

FW: 1.17

DAP-3320  1.00 or earlier  FW: 1.01
Estimated availability 15/04/2016 
DAP-3662  1.01 or earlier  FW: 1.02 

 

2) A temporary fix for SNMP issue is to disable the SNMP protocol through the device web configuration.

Model Name

Affected Firmware

FW Version Fix for Exploit

DAP-1353 H/W vers. B1

3.15 or earlier 

FW: 3.16

DAP-2553 H/W ver. A1

1.31 or earlier

FW: 1.32 

DAP-3520 H/W ver. A1

1.16 or earlier

FW: 1.17

 

Share

Press Contacts

Kaizo PR:
+44 (0)20 3176 4700
[email protected]