FIRMADYNE CVE-2016-1558 & CVE-2016-1559
16 март, 2016
Overview
ZERO - DAY: Researchers at Carnegie Mellon and Boston universities used an open-source framework to perform dynamic security analysis on embedded firmware. Two issues affect D-Link:
ISSUES
1) Buffer overflow: The web server for D-Link Access Points has a buffer overflow vulnerability triggered while parsing the dlink _uid cookie (CVE-2016-1558)
Impact: APs may be exposed to possibilities leading to abnormal operation such as the Web Manage page not allowing login. This means the user cannot adjust the settings of the device and other functions under the Web Manager. However, this does not lead to remote code execution and a hacker cannot take control of the device, gain passwords or any other illegal entry to the network through this vulnerability.
2) Password/ Username Exposure through SNMP: For 3 D-Link Access Points (DAP-1353 H/W ver. B1, DAP-2553 H/W ver. A1, DAP-3520 H/W ver. A1), the administrative username/password is exposed through SNMP OID strings. CVE-2016-1559.
Impact : The SNMP OID string text containing the password/username can only be accessed if the following 3 conditions are met: 1) SNMP protocol is enabled. 2) the device administrator is performing management tasks through SNMP. 3) The attacker sniffs out the correct packets to obtain the password/username. Please note that not all D-Link access points have the SNMP protocol enabled by default.
References
- http://www.pcworld.com/article/3039176/security/new-firmware-analysis-framework-finds-serious-flaws-in-netgear-and-d-link-devices.html
- http://seclists.org/fulldisclosure/2016/Feb/112
General Recommendations
Immediately update to the fixed firmware referenced in the table below as they are made available. Please continue to monitor this page for further updates and disclosures.
Affected Product
1) Firmware updates for the OVERFLOW issue are to be released before Mid April.
Model Name |
Affected Firmware |
FW Version Fix for Exploit |
DAP-2230 |
1.02 or earlier |
FW: 1.03 |
DAP-2310 |
2.06 or earlier |
FW: 2.07 |
DAP-2330 | 1.06 or earlier | FW: 1.07 |
DAP-2360 |
2.06 or earlier |
FW: 2.07 |
DAP-2553 H/W ver. B1 |
3.05 or earlier |
FW: 3.06 |
DAP-2660 |
1.11 or earlier |
FW: 1.13 |
DAP-2690 |
3.15 or earlier |
FW: 3.16 |
DAP-2695 |
1.16 or earlier |
FW: 1.17 |
DAP-3320 | 1.00 or earlier | FW: 1.01 Estimated availability 15/04/2016 |
DAP-3662 | 1.01 or earlier | FW: 1.02 |
2) A temporary fix for SNMP issue is to disable the SNMP protocol through the device web configuration.
Model Name |
Affected Firmware |
FW Version Fix for Exploit |
DAP-1353 H/W vers. B1 |
3.15 or earlier |
FW: 3.16 |
DAP-2553 H/W ver. A1 |
1.31 or earlier |
FW: 1.32 |
DAP-3520 H/W ver. A1 |
1.16 or earlier |
FW: 1.17 |