CVE-2014-7857

Name of the Vulnerable Software and Affected Versions D-Link DNS-320L versions prior to 1.04b12 D-Link DNS-327L versions prior to 1.03b04 Build0119 D-Link DNR-326 version 1.40b03 D-Link DNS-320B version 1.02b01 D-Link DNS-345 version 1.03b06 D-Link DNS-325 version 1.05b03 D-Link DNS-322L version 2.00b07

Description The issue is related to weaknesses in the authentication procedure of the D-Link router firmware. It allows a remote attacker to bypass authentication and gain administrator privileges by using a specially crafted command. The attacker can pass the cgi set wto command in the cmd parameter and set the spawned session's cookie to username=admin to log in with administrator permissions.

Recommendations For D-Link DNS-320L version prior to 1.04b12, update to version 1.04b12 or later. For D-Link DNS-327L version prior to 1.03b04 Build0119, update to version 1.03b04 Build0119 or later. For D-Link DNR-326 version 1.40b03, update to a version later than 1.40b03. For D-Link DNS-320B version 1.02b01, update to a version later than 1.02b01. For D-Link DNS-345 version 1.03b06, update to a version later than 1.03b06. For D-Link DNS-325 version 1.05b03, update to a version later than 1.05b03. For D-Link DNS-322L version 2.00b07, update to a version later than 2.00b07. As a temporary workaround, consider restricting access to the cgi set wto command in the affected firmware until a patch is available.