CVE-2020-9544 - Vulnerability Details - OpenCVE

An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. The administrative interface doesn't perform authentication checks for a firmware-update POST request. Any attacker that can access the administrative interface can install firmware of their choice.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
D-link	Dsl-2640b Dsl-2640b Firmware

Configuration 1 [-]

AND

cpe:2.3:o:d-link:dsl-2640b_firmware:e1_eu_1.01:*:*:*:*:*:*:*

cpe:2.3:h:d-link:dsl-2640b:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://ktln2.org/2020/03/05/cve-2020-9544/
https://www.dlink.com/en/security-bulletin

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-03-05T14:57:01

Updated: 2024-08-04T10:34:39.549Z

Reserved: 2020-03-02T00:00:00

Link: CVE-2020-9544

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-03-05T15:15:12.473

Modified: 2024-11-21T05:40:49.837

Link: CVE-2020-9544

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. The administrative interface doesn't perform authentication checks for a firmware-update POST request. Any attacker that can access the administrative interface can install firmware of their choice."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-05T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.dlink.com/en/security-bulletin"}, {"tags": ["x_refsource_MISC"], "url": "https://ktln2.org/2020/03/05/cve-2020-9544/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-9544", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. The administrative interface doesn't perform authentication checks for a firmware-update POST request. Any attacker that can access the administrative interface can install firmware of their choice."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.dlink.com/en/security-bulletin", "refsource": "MISC", "url": "https://www.dlink.com/en/security-bulletin"}, {"name": "https://ktln2.org/2020/03/05/cve-2020-9544/", "refsource": "MISC", "url": "https://ktln2.org/2020/03/05/cve-2020-9544/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:34:39.549Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.dlink.com/en/security-bulletin"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ktln2.org/2020/03/05/cve-2020-9544/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-9544", "datePublished": "2020-03-05T14:57:01", "dateReserved": "2020-03-02T00:00:00", "dateUpdated": "2024-08-04T10:34:39.549Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:d-link:dsl-2640b_firmware:e1_eu_1.01:*:*:*:*:*:*:*", "matchCriteriaId": "022EB9C6-3CA6-4C8E-85C4-54A504079C3E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:d-link:dsl-2640b:-:*:*:*:*:*:*:*", "matchCriteriaId": "4EFCC3A8-5DB8-4512-AF8A-9AB403A0B919", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. The administrative interface doesn't perform authentication checks for a firmware-update POST request. Any attacker that can access the administrative interface can install firmware of their choice."}, {"lang": "es", "value": "Se detect\u00f3 un problema en los dispositivos D-Link DSL-2640B E1 versi\u00f3n EU_1.01. La interfaz administrativa no realiza comprobaciones de autenticaci\u00f3n para una petici\u00f3n POST de actualizaci\u00f3n de firmware. Cualquier atacante que pueda acceder a la interfaz administrativa puede instalar el firmware de su elecci\u00f3n."}], "id": "CVE-2020-9544", "lastModified": "2024-11-21T05:40:49.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-05T15:15:12.473", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://ktln2.org/2020/03/05/cve-2020-9544/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.dlink.com/en/security-bulletin"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://ktln2.org/2020/03/05/cve-2020-9544/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.dlink.com/en/security-bulletin"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}