PT-2017-13466 · D Link · D-Link Dir-850L
Pierre Kim
·
Published
2017-09-13
·
Updated
2023-11-08
·
CVE-2017-14422
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
D-Link DIR-850L REV. A versions through FW114WWb07 h2ab beta1
D-Link DIR-850L REV. B versions through FW208WWb02
Description
The issue concerns the use of a hardcoded private key in the /etc/stunnel.key file across different installations, allowing remote attackers to bypass HTTPS cryptographic protection by leveraging knowledge of this key from another installation.
Recommendations
For D-Link DIR-850L REV. A versions through FW114WWb07 h2ab beta1, update the firmware to a version that does not use the hardcoded private key.
For D-Link DIR-850L REV. B versions through FW208WWb02, update the firmware to a version that does not use the hardcoded private key.
As a temporary workaround, consider restricting access to the device to minimize the risk of exploitation.
Exploit
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
D-Link Dir-850L