SB2021071610 - Multiple vulnerabilities in D-LINK DIR-3040
Published: July 16, 2021 Updated: September 27, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2021-21816)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in the Syslog functionality. A remote attacker can gain unauthorized access to sensitive information on the system.
2) Use of hard-coded credentials (CVE-ID: CVE-2021-21820)
The vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code in the Libcli Test Environment functionality. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) OS Command Injection (CVE-ID: CVE-2021-21819)
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the Libcli Test Environment functionality. A remote administrator can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Information disclosure (CVE-ID: CVE-2021-21817)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in the Zebra IP Routing Manager functionality. A remote attacker can gain unauthorized access to sensitive information on the system.
5) Use of Hard-coded Password (CVE-ID: CVE-2021-21818)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to presence of hard-coded password in the Zebra IP Routing Manager functionality. A remote unauthenticated attacker can send a specially crafted network request and cause a denial of service condition on the target system.
6) Use of hard-coded credentials (CVE-ID: CVE-2021-21913)
The vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code within the WiFi Smart Mesh functionality. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1281
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1285
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1284
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1282
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1283
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1361