{"vuid":"VU#553503","idnumber":"553503","name":"D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass and do not protect credentials","keywords":["bypass","credentials"],"overview":"The D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass of the remote login page, and do not sufficiently protect administrator credentials.","clean_desc":"The D-Link DIR-130, firmware version 1.23, and DIR-330, firmware version 1.12, are vulnerable to the following: CWE-294: Authentication Bypass by Capture-replay - CVE-2017-3191 A remote attacker that can access the remote management login page can manipulate the POST request in such a manner as to access some administrator-only pages such as tools_admin.asp without credentials. CWE-522: Insufficiently Protected Credentials - CVE-2017-3192 The tools_admin.asp page discloses the administrator password in base64 encoding in the returned web page. A remote attacker with access to this page (potentially through a authentication bypass such as CVE-2017-3191) may obtain administrator credentials for the device. D-Link has confirmed these issues to the CERT/CC. Other D-Link models may be affected by these issues, but were not tested by the reporter or the CERT/CC. CERT/CC has received a report that the DIR-655 may also be impacted, but has not verified it at this time.","impact":"A remote attacker may be able to obtain administrator credentials and access administrator functionality of the device.","resolution":"The CERT/CC is currently unaware of a practical solution to this problem. Affected users may consider the following workaround:","workarounds":"Restrict Access As a general good security practice, only allow connections from trusted hosts and networks. Additionally, you may wish to disable remote administration of the router.","sysaffected":"","thanks":"Thanks to James Edge for reporting this vulnerability.","author":"This document was written by Garret Wassermann.","public":["http://cwe.mitre.org/data/definitions/294.html","http://cwe.mitre.org/data/definitions/522.html"],"cveids":["CVE-2017-3191","CVE-2017-3192"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2017-01-25T16:45:22Z","publicdate":"2017-03-15T00:00:00Z","datefirstpublished":"2017-03-15T13:48:13Z","dateupdated":"2017-03-24T17:02:06Z","revision":31,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"10","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","cvss_temporalscore":"9","cvss_environmentalscore":"6.746283936","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}