CVE-2017-8417

Name of the Vulnerable Software and Affected Versions D-Link DCS-1100 (affected versions not specified) D-Link DCS-1130 (affected versions not specified)

Description An issue was discovered where D-Link devices allow communication with D-Link apps on mobile devices and desktops without authentication. The device uses a custom version of base64 encoding to pass data between the apps and the device. However, this communication can be initiated by any process, including an attacker process, allowing a third party to retrieve the device's password without authentication by sending a single UDP packet with custom base64 encoding. The severity of this attack is increased due to the large number of D-Link devices, with over 100,000 devices potentially affected.

Recommendations For D-Link DCS-1100, consider disabling communication with D-Link apps until a patch is available. For D-Link DCS-1130, restrict access to the custom base64 encoding functionality to minimize the risk of exploitation. As a temporary workaround, avoid using the device's password retrieval feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.