CVE-2020-29557
published 2021-01-29CVE-2020-29557: An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
54.32%
98.9th percentile
An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve pre-authentication remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dlink | dir-825_r1_firmware | <= 3.0.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/check_browser?lang=
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link DIR-825 R1 Web Interface RCE (CVE-2020-29557)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check_browser?lang="; nocase; fast_pattern; isdataat:100,relative; reference:url,shaqed.github.io/dlink/; reference:cve,2020-29557; classtype:attempted-admin; sid:2034280; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_10_28, cve CVE_2020_29557, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_05_22;)
- →Exploit traffic targets HTTP GET requests to the /check_browser?lang= URI on the device web interface; payloads exceeding 100 bytes in the lang parameter indicate a buffer overflow attempt (isdataat:100,relative).
- →Traffic direction is inbound to $HOME_NET/$HTTP_SERVERS; monitor perimeter and internal network segments for this pattern as noted in the Snort rule metadata.
- →The vulnerability is pre-authentication, meaning no valid session or credentials are required; any unauthenticated GET to /check_browser?lang= with a long value should be treated as a high-severity alert. ↗
- ·The Snort rule targets $HOME_NET and $HTTP_SERVERS; ensure D-Link DIR-825 R1 devices are included in these variable definitions for the rule to fire correctly.
- ·Affected devices are D-Link DIR-825 R1 through firmware version 3.0.1 before 2020-11-20; devices patched after that date are not vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x5v2-fv6f-w5rh: An issue was discovered on D-Link DIR-825 R1 devices through 3
ghsa_unreviewed·2022-05-24
CVE-2020-29557 [CRITICAL] CWE-119 GHSA-x5v2-fv6f-w5rh: An issue was discovered on D-Link DIR-825 R1 devices through 3
An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve pre-authentication remote code execution.
VulnCheck
D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-29557 [CRITICAL] CWE-119 D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability
D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability
D-Link DIR-825 R1 devices contain a buffer overflow vulnerability in the web interface that may allow for remote code execution.
Affected: D-Link DIR-825 R1 Devices
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-february-april-2021/; https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-07-13&host_type=src&vulnerability=cve-2020-29557; https://dashboard.
CISA
D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-29557 [CRITICAL] CWE-119 D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability
Vulnerability: D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability
Affected: D-Link DIR-825 R1 Devices
D-Link DIR-825 R1 devices contain a buffer overflow vulnerability in the web interface that may allow for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-29557
Remediation Due Date: 2022-05-03
Suricata
ET EXPLOIT D-Link DIR-825 R1 Web Interface RCE (CVE-2020-29557)
suricata·2021-10-28·CVSS 9.8
CVE-2020-29557 [CRITICAL] ET EXPLOIT D-Link DIR-825 R1 Web Interface RCE (CVE-2020-29557)
ET EXPLOIT D-Link DIR-825 R1 Web Interface RCE (CVE-2020-29557)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link DIR-825 R1 Web Interface RCE (CVE-2020-29557)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check_browser?lang="; nocase; fast_pattern; isdataat:100,relative; reference:url,shaqed.github.io/dlink/; reference:cve,2020-29557; classtype:attempted-admin; sid:2034280; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_10_28, cve CVE_2020_29557, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_05_22;)
No public exploits indexed.
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of each attack.
## Network Attack Trends February-April 2021: Analysis of the Latest Published Vulnerabilities
From February-April 2021, a total of 4,969 new Common Vulnerabilities and Exposures (CVE) numbers were registered. To better und
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: February-April 2021
Yue Guan
Lei Xu
Vaibhav Singhal
Brock Mammen
Published: July 1, 2021
Trend Reports
Vulnerabilities
Network security trends
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of
Fortinet
The Ghosts of Mirai | FortiGuard Labs
blogs_fortinet·2021-06-24
The Ghosts of Mirai | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Ghosts of Mirai
By David Maciejak and Joie Salvio | June 24, 2021
FortiGuard Labs Threat Research Report
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
It has been almost five years since the source code of the notorious MIRAI IoT malware was released to the public by its author in late 2016. This event led to the emergence of numerous copycats, creating their own flavors of IoT botnet armies. Although improvements have been constantly added since then by various threat actors, the structure and goal of the campaigns have remained the same.
IoT malware scans the Internet for IoT devices that use default or weak usernames and passwords. They also seek
Greynoiseio
Malicious Tag Roundup (October 2021)
blogs_greynoiseio·CVSS 10.0
[CRITICAL] Malicious Tag Roundup (October 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2021-01-29
Published
2021-11-03
Added to CISA KEV
Exploited in the wild