{"vuid":"VU#971705","idnumber":"971705","name":"Multiple D-Link routers fail to properly process UPnP M-SEARCH requests","keywords":["D-Link","router","buffer overflow","arbitrary code execution","UPnP","M-SEARCH"],"overview":"A buffer overflow vulnerability in the software that operates certain models of D-Link routers could allow a remote attacker to execute arbitrary code on the affected device.","clean_desc":"UPnP\nUniversal Plug and Play (UPnP) is a system that allows network devices to operate together. M-SEARCH\nWhen a device adds itself to a UPnP network, it may send a broadcast request to get information about other UPnP devices already on the network. This broadcast message is called an M-SEARCH directive. The problem\nSending an oversized M-SEARCH request to an affected D-Link router's LAN or WLAN interface may result in a buffer overflow. The following router models are reported to be affected: DI-524 Rev A, C, D\nDI-604 Rev E\nDI-624 Rev C, D\nDI-784 Rev A\nEBR-2310 Rev A\nWBR-1310 Rev A","impact":"An unauthenticated attacker may be able to execute arbitrary code or cause the router to reboot.","resolution":"Upgrade\nD-Link has issued firmware upgrades to address this vulnerability. See the D-Link support site for information on obtaining the latest version of firmware.","workarounds":"Disable UPnP\nIf the UPnP service is not needed, disabling it may reduce exposure to this vulnerability. Refer to D-Link's support site for instructions on how to disable UPnP on a particular model of router. The references section of this document has direct links to instructions on how to disable UPnP on some of the affected routers. Restrict access\nRestrict access to the LAN and WLAN interface to trusted hosts only. Preventing network traffic on port 1900/udp from reaching the LAN or WLAN interface may limit exposure to this vulnerability.","sysaffected":"","thanks":"Barnaby Jack of \neEye\n Digital Security reported this vulnerability.","author":"This document was written by Ryan Giobbi.","public":["http://secunia.com/advisories/21081/","http://www.eeye.com/html/research/advisories/AD20060714.html","http://support.dlink.com/products/view.asp?productid=DI%2D524","http://support.dlink.com/"],"cveids":["CVE-2006-3687"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-07-17T17:44:28Z","publicdate":"2006-07-17T00:00:00Z","datefirstpublished":"2006-08-03T14:44:40Z","dateupdated":"2007-01-23T15:23:09Z","revision":59,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"18","cam_exploitation":"0","cam_internetinfrastructure":"2","cam_population":"6","cam_impact":"10","cam_easeofexploitation":"3","cam_attackeraccessrequired":"2","cam_scorecurrent":"0.135","cam_scorecurrentwidelyknown":"0.1485","cam_scorecurrentwidelyknownexploited":"0.2835","ipprotocol":"udp","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.135,"vulnote":null}