Sign-up

ID

VAR-201808-0162


CVE

CVE-2017-11564


TITLE

D-Link EyeOn Baby Monitor Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-014243

DESCRIPTION

The D-Link EyeOn Baby Monitor (DCS-825L) 1.08.1 has multiple command injection vulnerabilities in the web service framework. An attacker can forge malicious HTTP requests to execute commands; authentication is required before executing the attack. The EyeOnBabyMonitorDCS-825L is a baby monitor from D-Link. # Vulnerability Type Command Injection # Affected Product Code Base DCS-825L EyeOn Baby Monitor - 1.08.1 # Affected Component web service framework # Attack Type Remote ------------------------------------------ # Attack Vectors Send a crafted HTTP request # Discoverer Dove Chiu (Trend Micro) # Vulnerability Detail We found that parts of the web framework are written in shell scripts. Additionally, upon reviewing the files, we found that parts of the variables can be controlled from user input. Fortunately, the web server uses basic authentication first, before anyone can access any webpage Reference: https://documents.trendmicro.com/assets/tech_brief_Device_Vulnerabilities_in_the_Connected_Home2.pdf # Status Fixed in the latest beta firmware <table class="TM_EMAIL_NOTICE"><tr><td><pre> TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. </pre></td></tr></table>

Trust: 2.34

sources: NVD: CVE-2017-11564 // JVNDB: JVNDB-2017-014243 // CNVD: CNVD-2018-15837 // VULHUB: VHN-101999 // PACKETSTORM: 149054

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-15837

AFFECTED PRODUCTS

vendor:dlinkmodel:eyeon baby monitorscope:eqversion:1.08.1

Trust: 1.6

vendor:d linkmodel:eyeon baby monitorscope:eqversion:1.08.1

Trust: 0.8

vendor:d linkmodel:dcs-825l eyeon baby monitorscope:eqversion:1.08.1

Trust: 0.6

sources: CNVD: CNVD-2018-15837 // JVNDB: JVNDB-2017-014243 // CNNVD: CNNVD-201707-1031 // NVD: CVE-2017-11564

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-11564
value: HIGH

Trust: 1.0

NVD: CVE-2017-11564
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-15837
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201707-1031
value: HIGH

Trust: 0.6

VULHUB: VHN-101999
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-11564
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-15837
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-101999
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-11564
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-15837 // VULHUB: VHN-101999 // JVNDB: JVNDB-2017-014243 // CNNVD: CNNVD-201707-1031 // NVD: CVE-2017-11564

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.1

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-101999 // JVNDB: JVNDB-2017-014243 // NVD: CVE-2017-11564

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201707-1031

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201707-1031

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-014243

PATCH
title:EyeOn Baby Monitor DCS-825Lurl:https://eu.dlink.com/uk/en/products/dcs-825l-wifi-baby-camera
Trust: 0.8
title:D-LinkEyeOnBabyMonitorDCS-825L has multiple command injection vulnerability patchesurl:https://www.cnvd.org.cn/patchInfo/show/138179
Trust: 0.6
title:D-Link EyeOn Baby Monitor ( DCS-825L ) Repair measures for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99946
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-15837 // 
            
            
            
            JVNDB: JVNDB-2017-014243 // 
            
            
            
            CNNVD: CNNVD-201707-1031

EXTERNAL IDS
db:NVDid:CVE-2017-11564
Trust: 3.2
db:JVNDBid:JVNDB-2017-014243
Trust: 0.8
db:CNNVDid:CNNVD-201707-1031
Trust: 0.7
db:CNVDid:CNVD-2018-15837
Trust: 0.6
db:PACKETSTORMid:149054
Trust: 0.2
db:VULHUBid:VHN-101999
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-15837 // 
            
            
            
            VULHUB: VHN-101999 // 
            
            
            
            JVNDB: JVNDB-2017-014243 // 
            
            
            
            PACKETSTORM: 149054 // 
            
            
            
            CNNVD: CNNVD-201707-1031 // 
            
            
            
            NVD: CVE-2017-11564

REFERENCES
url:https://documents.trendmicro.com/assets/tech_brief_device_vulnerabilities_in_the_connected_home2.pdf
Trust: 2.6
url:http://seclists.org/fulldisclosure/2018/aug/19
Trust: 2.3
url:https://nvd.nist.gov/vuln/detail/cve-2017-11564
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11564
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2018-15837 // 
            
            
            
            VULHUB: VHN-101999 // 
            
            
            
            JVNDB: JVNDB-2017-014243 // 
            
            
            
            PACKETSTORM: 149054 // 
            
            
            
            CNNVD: CNNVD-201707-1031 // 
            
            
            
            NVD: CVE-2017-11564

CREDITS
Dove Chiu
Trust: 0.1
sources:
            
            
            PACKETSTORM: 149054

SOURCES
db:CNVDid:CNVD-2018-15837
db:VULHUBid:VHN-101999
db:JVNDBid:JVNDB-2017-014243
db:PACKETSTORMid:149054
db:CNNVDid:CNNVD-201707-1031
db:NVDid:CVE-2017-11564

LAST UPDATE DATE
2024-11-23T22:38:05.341000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-15837date:2018-08-22T00:00:00
db:VULHUBid:VHN-101999date:2019-10-03T00:00:00
db:JVNDBid:JVNDB-2017-014243date:2018-11-28T00:00:00
db:CNNVDid:CNNVD-201707-1031date:2019-10-23T00:00:00
db:NVDid:CVE-2017-11564date:2024-11-21T03:08:01.910

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-15837date:2018-08-22T00:00:00
db:VULHUBid:VHN-101999date:2018-08-24T00:00:00
db:JVNDBid:JVNDB-2017-014243date:2018-11-28T00:00:00
db:PACKETSTORMid:149054date:2018-08-23T17:30:50
db:CNNVDid:CNNVD-201707-1031date:2017-07-24T00:00:00
db:NVDid:CVE-2017-11564date:2018-08-24T19:29:00.407