[Japanese]

JVNDB-2021-002273

Multiple vulnerabilities in D-Link router DSL-2750U

Overview

D-Link router DSL-2750U is vulnerable to unauthorized configuration modification (CWE-15, CVE-2021-3707) and OS command injection (CWE-78, CVE-2021-3708).

Mohammed Hadi reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 8.3 (High) [Other]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
This CVSS score reflects CVE-2021-3707.
Affected Products


D-Link Systems, Inc.
  • DSL-2750U firmware vME1.16 or prior versions

Impact

An unauthenticated attacker on the local network may execute any OS commands on the vulnerable device.
Solution

[Update Firmware]
Apply the appropriate firmware upgrade according to the information provided by D-Link.
D-Link released the fixed firmware vME_1.22.
Vendor Information

D-Link Systems, Inc.
CWE (What is CWE?)

  1. External Control of System or Configuration Setting(CWE-15) [Other]
  2. OS Command Injection(CWE-78) [Other]
CVE (What is CVE?)

  1. CVE-2021-3707
  2. CVE-2021-3708
References

  1. JVN : JVNVU#92088210
  2. National Vulnerability Database (NVD) : CVE-2021-3707
  3. National Vulnerability Database (NVD) : CVE-2021-3708
  4. Related document : GitHub / HadiMed / firmware-analysis
Revision History

  • [2021/08/17]
      Web page was published

Date Public2021/08/16
Date First Published2021/08/17
Date Last Updated2021/08/17