Sign-up

ID

VAR-202002-1368


CVE

CVE-2020-8861


TITLE

D-Link DAP-1330 Authentication vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2020-002268

DESCRIPTION

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue results from the lack of proper handling of cookies. An attacker can leverage this vulnerability to execute arbitrary code on the router. Was ZDI-CAN-9554. Zero Day Initiative To this vulnerability ZDI-CAN-9554 Was numbered.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. D-Link DAP-1330 is a N300 Wi-Fi range extender

Trust: 2.79

sources: NVD: CVE-2020-8861 // JVNDB: JVNDB-2020-002268 // ZDI: ZDI-20-265 // CNVD: CNVD-2020-13155

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

category:['network device']sub_category:router

Trust: 0.1

sources: OTHER: None // CNVD: CNVD-2020-13155

AFFECTED PRODUCTS

vendor:dlinkmodel:dap-1330scope:ltversion:1.10b01

Trust: 1.0

vendor:dlinkmodel:dap-1330scope:eqversion:1.10b01

Trust: 1.0

vendor:d linkmodel:dap-1330scope:eqversion:1.10b01 beta

Trust: 0.8

vendor:d linkmodel:dap-1330scope: - version: -

Trust: 0.7

vendor:d linkmodel:dap-1330 1.10b01 betascope: - version: -

Trust: 0.6

sources: ZDI: ZDI-20-265 // CNVD: CNVD-2020-13155 // JVNDB: JVNDB-2020-002268 // NVD: CVE-2020-8861

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-8861
value: HIGH

Trust: 1.0

zdi-disclosures@trendmicro.com: CVE-2020-8861
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-002268
value: HIGH

Trust: 0.8

ZDI: CVE-2020-8861
value: HIGH

Trust: 0.7

CNVD: CNVD-2020-13155
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202002-1073
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2020-8861
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-002268
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-13155
severity: HIGH
baseScore: 8.3
vectorString: AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-8861
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

zdi-disclosures@trendmicro.com: CVE-2020-8861
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-002268
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2020-8861
baseSeverity: HIGH
baseScore: 8.8
vectorString: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-20-265 // CNVD: CNVD-2020-13155 // JVNDB: JVNDB-2020-002268 // CNNVD: CNNVD-202002-1073 // NVD: CVE-2020-8861 // NVD: CVE-2020-8861

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.8

problemtype:CWE-303

Trust: 1.0

sources: JVNDB: JVNDB-2020-002268 // NVD: CVE-2020-8861

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202002-1073

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-202002-1073

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-002268

PATCH
title:SAP10155url:https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10155
Trust: 1.5
title:Patch for D-Link DAP-1330 Certification Bypass Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/204099
Trust: 0.6
title:D-Link DAP-1330 Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=110261
Trust: 0.6
sources:
            
            
            ZDI: ZDI-20-265 // 
            
            
            
            CNVD: CNVD-2020-13155 // 
            
            
            
            JVNDB: JVNDB-2020-002268 // 
            
            
            
            CNNVD: CNNVD-202002-1073

EXTERNAL IDS
db:NVDid:CVE-2020-8861
Trust: 3.8
db:ZDIid:ZDI-20-265
Trust: 2.3
db:DLINKid:SAP10155
Trust: 1.6
db:JVNDBid:JVNDB-2020-002268
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-9554
Trust: 0.7
db:CNVDid:CNVD-2020-13155
Trust: 0.6
db:CNNVDid:CNNVD-202002-1073
Trust: 0.6
db:OTHERid:NONE
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            ZDI: ZDI-20-265 // 
            
            
            
            CNVD: CNVD-2020-13155 // 
            
            
            
            JVNDB: JVNDB-2020-002268 // 
            
            
            
            CNNVD: CNNVD-202002-1073 // 
            
            
            
            NVD: CVE-2020-8861

REFERENCES
url:https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=sap10155
Trust: 2.3
url:https://www.zerodayinitiative.com/advisories/zdi-20-265/
Trust: 2.2
url:https://nvd.nist.gov/vuln/detail/cve-2020-8861
Trust: 1.2
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-8861
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-8861\
Trust: 0.8
url:https://ieeexplore.ieee.org/abstract/document/10769424
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            ZDI: ZDI-20-265 // 
            
            
            
            CNVD: CNVD-2020-13155 // 
            
            
            
            JVNDB: JVNDB-2020-002268 // 
            
            
            
            CNNVD: CNNVD-202002-1073 // 
            
            
            
            NVD: CVE-2020-8861

CREDITS
chung96vn - Security Researcher of VinCSS (Member of Vingroup)
Trust: 0.7
sources:
            
            
            ZDI: ZDI-20-265

SOURCES
db:OTHERid: - 
db:ZDIid:ZDI-20-265
db:CNVDid:CNVD-2020-13155
db:JVNDBid:JVNDB-2020-002268
db:CNNVDid:CNNVD-202002-1073
db:NVDid:CVE-2020-8861

LAST UPDATE DATE
2025-01-30T22:24:04.179000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-20-265date:2020-02-21T00:00:00
db:CNVDid:CNVD-2020-13155date:2020-02-24T00:00:00
db:JVNDBid:JVNDB-2020-002268date:2020-03-10T00:00:00
db:CNNVDid:CNNVD-202002-1073date:2021-01-04T00:00:00
db:NVDid:CVE-2020-8861date:2024-11-21T05:39:35.340

SOURCES RELEASE DATE
db:ZDIid:ZDI-20-265date:2020-02-21T00:00:00
db:CNVDid:CNVD-2020-13155date:2020-02-24T00:00:00
db:JVNDBid:JVNDB-2020-002268date:2020-03-10T00:00:00
db:CNNVDid:CNNVD-202002-1073date:2020-02-21T00:00:00
db:NVDid:CVE-2020-8861date:2020-02-22T00:15:10.843