Attacker Value
Very Low
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Adjacent_network
0

CVE-2020-8862

Disclosure Date: February 22, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the lack of proper password checking. An attacker can leverage this vulnerability to execute arbitrary code in the context of root. Was ZDI-CAN-10082.

Add Assessment

3
Ratings
Technical Analysis

This appliance is targetted towards small to medium enterprise which means it more valuable to an attacker than attacks against home user equipment.

If compromised access to this device could be used to perform network-level compromise via DNS attacks or reveal sensitive information about the network.

It requires local network access in order to exploit the vulnerability. This device lists “Guest access control” as one of its features so depending on its configuration Local access my be available.

Devices like APs and embedded devices are often overlooked when applying security updates and patches.

At the time of analysis, there is no firmware update available to remediate the vulnerability although POC code does not yet appear to be publicly available.

Despite the absence of available POC code it is trivial to download the firmware and extract the files system. A determined attacker could then identify the exploit manually.

General Information

Vendors

  • D-Link

Products

  • DAP-2610

Additional Info

Technical Analysis