CVE-2018-18442
https://notcve.org/view.php?id=CVE-2018-18442
D-Link DCS-825L devices with firmware 1.08 do not employ a suitable mechanism to prevent denial-of-service (DoS) attacks. An attacker can harm the device availability (i.e., live-online video/audio streaming) by using the hping3 tool to perform an IPv4 flood attack. Verified attacks includes SYN flooding, UDP flooding, ICMP flooding, and SYN-ACK flooding. Los dispositivos D-Link DCS-825L con firmware en versión 1.08 no emplean un mecanismo adecuado para evitar ataques de denegación de servicio (DoS). Un atacante puede dañar la disponibilidad del dispositivo (como la transmisión de vídeo/audio en directo online) mediante el uso de la herramienta hping3 para realizar un ataque de inundación IPv4. • https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vulnerabilities-in-baby-monitor •
CVE-2018-18441
https://notcve.org/view.php?id=CVE-2018-18441
D-Link DCS series Wi-Fi cameras expose sensitive information regarding the device configuration. The affected devices include many of DCS series, such as: DCS-936L, DCS-942L, DCS-8000LH, DCS-942LB1, DCS-5222L, DCS-825L, DCS-2630L, DCS-820L, DCS-855L, DCS-2121, DCS-5222LB1, DCS-5020L, and many more. There are many affected firmware versions starting from 1.00 and above. The configuration file can be accessed remotely through: <Camera-IP>/common/info.cgi, with no authentication. The configuration file include the following fields: model, product, brand, version, build, hw_version, nipca version, device name, location, MAC address, IP address, gateway IP address, wireless status, input/output settings, speaker, and sensor settings. • https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vulnerabilities-in-baby-monitor • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-18767
https://notcve.org/view.php?id=CVE-2018-18767
An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06. Whenever actions are performed from the app (e.g., change camera settings or play lullabies), it communicates directly with the Wi-Fi camera (D-Link 825L firmware 1.08) with the credentials (username and password) in base64 cleartext. An attacker could conduct an MitM attack on the local network and very easily obtain these credentials. Se ha descubierto un problema en la aplicación "myDlink Baby App", de D-Link, en su versión 2.04.06. Cuando se realizan acciones desde la aplicación (como el cambio de las opciones de la cámara o la reproducción de nanas), se comunica directamente con la cámara wifi (D-Link 825L con firmware en versión 1.08) con las credenciales (nombre de usuario y contraseña) en texto claro base64. • https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vulnerabilities-in-baby-monitor • CWE-326: Inadequate Encryption Strength •