CVE-2017-3192 : D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 do not su

D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 do not sufficiently protect administrator credentials. The tools_admin.asp page discloses the administrator password in base64 encoding in the returned web page. A remote attacker with access to this page (potentially through a authentication bypass such as CVE-2017-3191) may obtain administrator credentials for the device.

Published 2017-12-16 02:29:10

Updated 2023-04-26 18:55:31

Source CERT/CC

View at NVD, CVE.org

Products affected by CVE-2017-3192

D-link » Dir-130 Firmware » Version: 1.23
cpe:2.3:o:d-link:dir-130_firmware:1.23:*:*:*:*:*:*:*
Matching versions
When used together with: Dlink » Dir-130 » Version: N/A
D-link » Dir-330 Firmware » Version: 1.12
cpe:2.3:o:d-link:dir-330_firmware:1.12:*:*:*:*:*:*:*
Matching versions
When used together with: Dlink » Dir-330 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2017-3192

EPSS FAQ

53.71%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 98 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-3192

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-3192

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Assigned by:
- cret@cert.org (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2017-3192

https://www.scmagazine.com/d-link-dir-130-and-dir-330-routers-vulnerable/article/644553/

D-Link DIR-130 and DIR-330 routers vulnerable | SC Media
Third Party Advisory

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/123292

D-Link DIR-130 and DIR-330 tools_admin.asp information disclosure CVE-2017-3192 Vulnerability Report
Issue Tracking;Third Party Advisory;VDB Entry
https://www.wilderssecurity.com/threads/d-link-dir-130-and-dir-330-are-vulnerable-to-authentication-bypass-and-do-not-protect-credentials.392703/

D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass and do not protect credentials | Wilders Security Forums
Issue Tracking;Third Party Advisory

CVEs referencing this url
https://www.kb.cert.org/vuls/id/553503

VU#553503 - D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass and do not protect credentials
Issue Tracking;Third Party Advisory;US Government Resource

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2017-3192

Products affected by CVE-2017-3192

Exploit prediction scoring system (EPSS) score for CVE-2017-3192

CVSS scores for CVE-2017-3192

CWE ids for CVE-2017-3192

References for CVE-2017-3192