CERTVU:971705Multiple D-Link routers fail to properly process UPnP M-SEARCH requests
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
97.2%
Overview
A buffer overflow vulnerability in the software that operates certain models of D-Link routers could allow a remote attacker to execute arbitrary code on the affected device.
Description
UPnP
Universal Plug and Play (UPnP) is a system that allows network devices to operate together.
M-SEARCH
When a device adds itself to a UPnP network, it may send a broadcast request to get information about other UPnP devices already on the network. This broadcast message is called an M-SEARCH directive.
The problem
Sending an oversized M-SEARCH request to an affected D-Link router’s LAN or WLAN interface may result in a buffer overflow. The following router models are reported to be affected:
* DI-524 Rev A, C, D
* DI-604 Rev E
* DI-624 Rev C, D
* DI-784 Rev A
* EBR-2310 Rev A
* WBR-1310 Rev A
Impact
An unauthenticated attacker may be able to execute arbitrary code or cause the router to reboot.
Solution
Upgrade
D-Link has issued firmware upgrades to address this vulnerability. See the D-Link support site for information on obtaining the latest version of firmware.
Disable UPnP
If the UPnP service is not needed, disabling it may reduce exposure to this vulnerability. Refer to D-Link’s support site for instructions on how to disable UPnP on a particular model of router. The references section of this document has direct links to instructions on how to disable UPnP on some of the affected routers.
Restrict access
Restrict access to the LAN and WLAN interface to trusted hosts only. Preventing network traffic on port 1900/udp from reaching the LAN or WLAN interface may limit exposure to this vulnerability.
Vendor Information
971705
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
D-Link Systems, Inc. __ Affected
Notified: July 17, 2006 Updated: July 20, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Owners of an affected router are urged to visit D-Link’s website and upgrade their firmware.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23971705 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://secunia.com/advisories/21081/>
- <http://www.eeye.com/html/research/advisories/AD20060714.html>
- <http://support.dlink.com/products/view.asp?productid=DI-524>
- <http://support.dlink.com/>
Acknowledgements
Barnaby Jack of eEye Digital Security reported this vulnerability.
This document was written by Ryan Giobbi.
Other Information
| CVE IDs: | CVE-2006-3687 |
|---|---|
| Severity Metric: | 0.14 Date Public: |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
97.2%