CVE-2021-28840

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Null Pointer Dereference vulnerability exists in D-Link DAP-2310 2.07.RC031, DAP-2330 1.07.RC028, DAP-2360 2.07.RC043, DAP-2553 3.06.RC027, DAP-2660 1.13.RC074, DAP-2690 3.16.RC100, DAP-2695 1.17.RC063, DAP-3320 1.01.RC014 and DAP-3662 1.01.RC022 in the upload_config function of sbin/httpd binary. When the binary handle the specific HTTP GET request, the content in upload_file variable is NULL in the upload_config function then the strncasecmp would take NULL as first argument, and incur the NULL pointer dereference vulnerability.

Se presenta una vulnerabilidad de Desreferencia de Puntero Null en D-Link DAP-2310 versión 2.07.RC031, DAP-2330 versión 1.07.RC028, DAP-2360 versión 2.07.RC043, DAP-2553 versión 3.06.RC027, DAP-2660 versión 1. 13.RC074, DAP-2690 versión 3.16.RC100, DAP-2695 versión 1.17.RC063, DAP-3320 versión 1.01.RC014 y DAP-3662 versión 1.01.RC022, en la función upload_config del binario sbin/httpd. Cuando el binario maneja la petición HTTP GET específica, el contenido en la variable upload_file es NULL en la función upload_config entonces el strncasecmp tomaría NULL como primer argumento, e incurriría en la vulnerabilidad de Desreferencia de Puntero Null

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-03-19 CVE Reserved
2021-08-10 CVE Published
2024-04-25 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-476: NULL Pointer Dereference

CAPEC

References (3)

URL	Tag	Source
https://github.com/zyw-200/EQUAFL/blob/main/dlink-email-cve2.pdf	Third Party Advisory

URL	Date	SRC
https://github.com/zyw-200/EQUAFL/blob/main/dlink-email-cve.pdf	2024-08-03

URL	Date	SRC

URL	Date	SRC
https://www.dlink.com/en/security-bulletin	2021-08-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dlink Search vendor "Dlink"	Dap-2310 Firmware Search vendor "Dlink" for product "Dap-2310 Firmware"	2.0.7.rc031 Search vendor "Dlink" for product "Dap-2310 Firmware" and version "2.0.7.rc031"	-	Affected	in	Dlink Search vendor "Dlink"	Dap-2310 Search vendor "Dlink" for product "Dap-2310"	-	-	Safe
Dlink Search vendor "Dlink"	Dap-2330 Firmware Search vendor "Dlink" for product "Dap-2330 Firmware"	1.07.rc028 Search vendor "Dlink" for product "Dap-2330 Firmware" and version "1.07.rc028"	-	Affected	in	Dlink Search vendor "Dlink"	Dap-2330 Search vendor "Dlink" for product "Dap-2330"	-	-	Safe
Dlink Search vendor "Dlink"	Dap-2360 Firmware Search vendor "Dlink" for product "Dap-2360 Firmware"	2.07.rc043 Search vendor "Dlink" for product "Dap-2360 Firmware" and version "2.07.rc043"	-	Affected	in	Dlink Search vendor "Dlink"	Dap-2360 Search vendor "Dlink" for product "Dap-2360"	-	-	Safe
Dlink Search vendor "Dlink"	Dap-2553 Firmware Search vendor "Dlink" for product "Dap-2553 Firmware"	3.06.rc027 Search vendor "Dlink" for product "Dap-2553 Firmware" and version "3.06.rc027"	-	Affected	in	Dlink Search vendor "Dlink"	Dap-2553 Search vendor "Dlink" for product "Dap-2553"	-	-	Safe
Dlink Search vendor "Dlink"	Dap-2660 Firmware Search vendor "Dlink" for product "Dap-2660 Firmware"	1.13.rc074 Search vendor "Dlink" for product "Dap-2660 Firmware" and version "1.13.rc074"	-	Affected	in	Dlink Search vendor "Dlink"	Dap-2660 Search vendor "Dlink" for product "Dap-2660"	-	-	Safe
Dlink Search vendor "Dlink"	Dap-2690 Firmware Search vendor "Dlink" for product "Dap-2690 Firmware"	3.16.rc100 Search vendor "Dlink" for product "Dap-2690 Firmware" and version "3.16.rc100"	-	Affected	in	Dlink Search vendor "Dlink"	Dap-2690 Search vendor "Dlink" for product "Dap-2690"	-	-	Safe
Dlink Search vendor "Dlink"	Dap-2695 Firmware Search vendor "Dlink" for product "Dap-2695 Firmware"	1.17.rc063 Search vendor "Dlink" for product "Dap-2695 Firmware" and version "1.17.rc063"	-	Affected	in	Dlink Search vendor "Dlink"	Dap-2695 Search vendor "Dlink" for product "Dap-2695"	-	-	Safe
Dlink Search vendor "Dlink"	Dap-3320 Firmware Search vendor "Dlink" for product "Dap-3320 Firmware"	1.01.rc014 Search vendor "Dlink" for product "Dap-3320 Firmware" and version "1.01.rc014"	-	Affected	in	Dlink Search vendor "Dlink"	Dap-3320 Search vendor "Dlink" for product "Dap-3320"	-	-	Safe
Dlink Search vendor "Dlink"	Dap-3662 Firmware Search vendor "Dlink" for product "Dap-3662 Firmware"	1.01.rc022 Search vendor "Dlink" for product "Dap-3662 Firmware" and version "1.01.rc022"	-	Affected	in	Dlink Search vendor "Dlink"	Dap-3662 Search vendor "Dlink" for product "Dap-3662"	-	-	Safe