CVE-2019-19598

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request. If this value is equal to the value stored in the device's /var/hnap/timestamp file, the request will pass the HNAP_AUTH check function.

Los dispositivos D-Link DAP-1860 versiones anteriores a v1.04b03 Beta, permiten el acceso a las funciones de administrador sin autenticación por medio del valor de marca de tiempo del encabezado HNAP_AUTH. En las peticiones HTTP, parte del encabezado HNAP_AUTH es la marca de tiempo usada para determinar la hora en que el usuario envió la petición. Si este valor es igual al valor almacenado en el archivo /var/hnap/timestamp del dispositivo, la petición pasará la función de comprobación de HNAP_AUTH.

*Credits: N/A

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-12-05 CVE Reserved
2019-12-05 CVE Published
2023-04-08 EPSS Updated
2024-08-05 CVE Updated
2024-08-05 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-287: Improper Authentication

CAPEC

References (2)

URL	Tag	Source
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10135	Third Party Advisory

URL	Date	SRC
https://chung96vn.wordpress.com/2019/11/15/d-link-dap-1860-vulnerabilities	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dlink Search vendor "Dlink"	Dap-1860 Firmware Search vendor "Dlink" for product "Dap-1860 Firmware"	1.01b06 Search vendor "Dlink" for product "Dap-1860 Firmware" and version "1.01b06"	-	Affected	in	Dlink Search vendor "Dlink"	Dap-1860 Search vendor "Dlink" for product "Dap-1860"	-	-	Safe
Dlink Search vendor "Dlink"	Dap-1860 Firmware Search vendor "Dlink" for product "Dap-1860 Firmware"	1.02b01 Search vendor "Dlink" for product "Dap-1860 Firmware" and version "1.02b01"	-	Affected	in	Dlink Search vendor "Dlink"	Dap-1860 Search vendor "Dlink" for product "Dap-1860"	-	-	Safe
Dlink Search vendor "Dlink"	Dap-1860 Firmware Search vendor "Dlink" for product "Dap-1860 Firmware"	1.04b01 Search vendor "Dlink" for product "Dap-1860 Firmware" and version "1.04b01"	-	Affected	in	Dlink Search vendor "Dlink"	Dap-1860 Search vendor "Dlink" for product "Dap-1860"	-	-	Safe