CVE-2019-17146

Name of the Vulnerable Software and Affected Versions D-Link DCS-960L version 1.07.102

Description The issue is related to a buffer overflow in the memory of the HNAP service of D-Link DCS series Wi-Fi cameras, allowing a remote attacker to execute arbitrary code on the target device by sending a specially crafted SOAP request. The flaw exists within the HNAP service, which listens on TCP port 80 by default, and is caused by the process not properly validating the length of user-supplied data prior to copying it to a stack-based buffer. This can be exploited without authentication.

Recommendations For D-Link DCS-960L version 1.07.102, consider disabling the HNAP service as a temporary workaround until a patch is available. Restrict access to TCP port 80 to minimize the risk of exploitation. Avoid using the SOAPAction request header in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.