CVE-2021-28840

Name of the Vulnerable Software and Affected Versions: D-Link DAP-2310 version 2.07.RC031 D-Link DAP-2330 version 1.07.RC028 D-Link DAP-2360 version 2.07.RC043 D-Link DAP-2553 version 3.06.RC027 D-Link DAP-2660 version 1.13.RC074 D-Link DAP-2690 version 3.16.RC100 D-Link DAP-2695 version 1.17.RC063 D-Link DAP-3320 version 1.01.RC014 D-Link DAP-3662 version 1.01.RC022

Description: A Null Pointer Dereference vulnerability exists in the upload config function of the sbin/httpd binary. When the binary handles a specific HTTP GET request, the content in the upload file variable is NULL in the upload config function, then the strncasecmp function would take NULL as the first argument, and incur the Null Pointer Dereference vulnerability.

Recommendations: For D-Link DAP-2310 version 2.07.RC031, consider disabling the upload config function in the sbin/httpd binary until a patch is available. For D-Link DAP-2330 version 1.07.RC028, consider disabling the upload config function in the sbin/httpd binary until a patch is available. For D-Link DAP-2360 version 2.07.RC043, consider disabling the upload config function in the sbin/httpd binary until a patch is available. For D-Link DAP-2553 version 3.06.RC027, consider disabling the upload config function in the sbin/httpd binary until a patch is available. For D-Link DAP-2660 version 1.13.RC074, consider disabling the upload config function in the sbin/httpd binary until a patch is available. For D-Link DAP-2690 version 3.16.RC100, consider disabling the upload config function in the sbin/httpd binary until a patch is available. For D-Link DAP-2695 version 1.17.RC063, consider disabling the upload config function in the sbin/httpd binary until a patch is available. For D-Link DAP-3320 version 1.01.RC014, consider disabling the upload config function in the sbin/httpd binary until a patch is available. For D-Link DAP-3662 version 1.01.RC022, consider disabling the upload config function in the sbin/httpd binary until a patch is available.