CVE-2021-41504 - OpenCVE

An Elevated Privileges issue exists in D-Link DCS-5000L v1.05 and DCS-932L v2.17 and older. The use of the digest-authentication for the devices command interface may allow further attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:A/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Dlink	Dcs-5000l Dcs-932l Dcs-932l Firmware Dcs-5000l Firmware

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dcs-932l_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dcs-932l:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:dlink:dcs-5000l_firmware:1.05:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dcs-5000l:-:*:*:*:*:*:*:*

References

Link	Resource
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10247	Vendor Advisory
https://www.dlink.com/en/security-bulletin/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-09-24T19:30:35

Updated: 2021-09-24T19:48:03

Reserved: 2021-09-20T00:00:00

Link: CVE-2021-41504

JSON object: View

NVD Information

Status : Modified

Published: 2021-09-24T20:15:07.437

Modified: 2024-05-17T02:01:13.233

Link: CVE-2021-41504

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An Elevated Privileges issue exists in D-Link DCS-5000L v1.05 and DCS-932L v2.17 and older. The use of the digest-authentication for the devices command interface may allow further attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-24T19:48:03", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.dlink.com/en/security-bulletin/"}, {"tags": ["x_refsource_MISC"], "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10247"}], "tags": ["unsupported-when-assigned"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-41504", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** UNSUPPORTED WHEN ASSIGNED ** An Elevated Privileges issue exists in D-Link DCS-5000L v1.05 and DCS-932L v2.17 and older. The use of the digest-authentication for the devices command interface may allow further attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.dlink.com/en/security-bulletin/", "refsource": "MISC", "url": "https://www.dlink.com/en/security-bulletin/"}, {"name": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10247", "refsource": "MISC", "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10247"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-41504", "datePublished": "2021-09-24T19:30:35", "dateReserved": "2021-09-20T00:00:00", "dateUpdated": "2021-09-24T19:48:03", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dcs-932l_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6CC03FDD-D493-40AE-8237-49B5CCD8B2A7", "versionEndIncluding": "2.17", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dcs-932l:-:*:*:*:*:*:*:*", "matchCriteriaId": "34775D9A-F16B-43C5-A8F4-88C0F9760364", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dcs-5000l_firmware:1.05:*:*:*:*:*:*:*", "matchCriteriaId": "623442BE-FC1A-48A1-BEB6-3190D7D5C1B9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dcs-5000l:-:*:*:*:*:*:*:*", "matchCriteriaId": "397F0BCA-7A8B-43A1-939D-27127384228D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An Elevated Privileges issue exists in D-Link DCS-5000L v1.05 and DCS-932L v2.17 and older. The use of the digest-authentication for the devices command interface may allow further attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer"}, {"lang": "es", "value": "** NO SOPORTADO CUANDO SE ASIGN\u00d3 ** Un problema de privilegios elevados se presenta en D-Link DCS-5000L versi\u00f3n v1.05 y DCS-932L versi\u00f3n v2.17 y anteriores. El uso de la autenticaci\u00f3n digest para la interfaz de comandos de los dispositivos puede permitir otros vectores de ataque que pueden comprometer la configuraci\u00f3n de las c\u00e1maras y permitir que usuarios maliciosos en la LAN accedan al dispositivo. NOTA: Esta vulnerabilidad s\u00f3lo afecta a los productos que ya no son soportados por el mantenedor."}], "id": "CVE-2021-41504", "lastModified": "2024-05-17T02:01:13.233", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.2, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 5.1, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-24T20:15:07.437", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10247"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.dlink.com/en/security-bulletin/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}