D-Link DAP-1860 Unauthenticated Command Bypass & Command Injection [CVE-2019-19598]
CVE number – CVE-2019-19598
D-Link DAP-1860 devices before v1.04b03 Beta allow access to administrator functions without authentication via the HNAP_AUTH header timestamp value. In HTTP requests, part of the HNAP_AUTH header is the timestamp used to determine the time when the user sent the request.
If this value is equal to the value stored in the device’s /var/hnap/timestamp file, the request will pass the HNAP_AUTH check function.
D-Link investigated, and validated the report, and in coordination with the 3rd Party they have released the following Beta Hot-Fix. We recommend always to keep up-to-date firmware which can be found at https://support.dlink.com/ProductInfo.aspx?m=DAP-1860
Further details regarding this issue can be found here.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.
D-Link SIRT :: For Accurate and Up-to-Date information please go to: https://bit.ly/2YigWFR