CVE-2024-38437 - Vulnerability Details - OpenCVE

Description

D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel

Published: 2024-07-21

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

D-Link

DSL-225

unaffected

Version	Status	Constraints
`version BZ_1.00.16`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dsl-225_firmware:bz_1.00.16:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dsl-225:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

The product is EOL. The Vendor recommends these devices be retired and replaced.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-37329	D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00246.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.gov.il/en/Departments/faq/cve_advisories

History

Thu, 29 Aug 2024 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dsl-225 Dlink dsl-225 Firmware
Weaknesses		CWE-306
CPEs		cpe:2.3:h:dlink:dsl-225:-:::::::* cpe:2.3:o:dlink:dsl-225_firmware:bz_1.00.16:::::::*
Vendors & Products		Dlink Dlink dsl-225 Dlink dsl-225 Firmware

Subscriptions

Dlink Dsl-225 Dsl-225 Firmware

MITRE

Status: PUBLISHED

Assigner: INCD

Published: 2024-07-21T07:17:40.752Z

Updated: 2024-08-02T04:12:24.976Z

Reserved: 2024-06-16T08:00:52.286Z

Link: CVE-2024-38437

Vulnrichment

Updated: 2024-08-02T04:12:24.976Z

NVD

Status : Modified

Published: 2024-07-21T08:15:06.243

Modified: 2024-11-21T09:25:51.270

Link: CVE-2024-38437

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38437", "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "state": "PUBLISHED", "assignerShortName": "INCD", "dateReserved": "2024-06-16T08:00:52.286Z", "datePublished": "2024-07-21T07:17:40.752Z", "dateUpdated": "2024-08-02T04:12:24.976Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "DSL-225", "vendor": "D-Link", "versions": [{"status": "affected", "version": "version BZ_1.00.16", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Hai Vaknin, Yehuda Smirnov"}], "datePublic": "2024-07-18T07:05:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\"><p><span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">D-Link </span><span style=\"background-color: rgb(255, 255, 255);\">- </span><span style=\"background-color: rgb(255, 255, 255);\">CWE-288:Authentication Bypass Using an Alternate Path or Channel</span>\n\n<br></span><br>\n\n</p>\n\n</span>"}], "value": "D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "shortName": "INCD", "dateUpdated": "2024-07-21T07:17:40.752Z"}, "references": [{"url": "https://www.gov.il/en/Departments/faq/cve_advisories"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">The product is EOL. The Vendor recommends these devices be retired and replaced.</span>\n\n<br>"}], "value": "The product is EOL. The Vendor recommends these devices be retired and replaced."}], "source": {"advisory": "ILVN-2024-0175", "discovery": "UNKNOWN"}, "title": "D-Link - CWE-288: Authentication Bypass Using an Alternate Path or Channel", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-26T20:34:54.288682Z", "id": "CVE-2024-38437", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T20:35:11.435Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:12:24.976Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.gov.il/en/Departments/faq/cve_advisories", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.gov.il/en/Departments/faq/cve_advisories", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:12:24.976Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38437", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-26T20:34:54.288682Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T20:35:04.569Z"}}], "cna": {"title": "D-Link - CWE-288: Authentication Bypass Using an Alternate Path or Channel", "source": {"advisory": "ILVN-2024-0175", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Hai Vaknin, Yehuda Smirnov"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "D-Link", "product": "DSL-225", "versions": [{"status": "affected", "version": "version BZ_1.00.16", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The product is EOL. The Vendor recommends these devices be retired and replaced.", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">The product is EOL. The Vendor recommends these devices be retired and replaced.</span>\n\n<br>", "base64": false}]}], "datePublic": "2024-07-18T07:05:00.000Z", "references": [{"url": "https://www.gov.il/en/Departments/faq/cve_advisories"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\"><p><span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">D-Link </span><span style=\"background-color: rgb(255, 255, 255);\">- </span><span style=\"background-color: rgb(255, 255, 255);\">CWE-288:Authentication Bypass Using an Alternate Path or Channel</span>\n\n<br></span><br>\n\n</p>\n\n</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "shortName": "INCD", "dateUpdated": "2024-07-21T07:17:40.752Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38437", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:12:24.976Z", "dateReserved": "2024-06-16T08:00:52.286Z", "assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f", "datePublished": "2024-07-21T07:17:40.752Z", "assignerShortName": "INCD"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dsl-225_firmware:bz_1.00.16:*:*:*:*:*:*:*", "matchCriteriaId": "CACDC864-A03E-43AA-8BEF-CAF5BC5C6674", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dsl-225:-:*:*:*:*:*:*:*", "matchCriteriaId": "C74968AF-D872-450B-8E25-3B62FF3ECF1B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "D-Link - CWE-288:Authentication Bypass Using an Alternate Path or Channel"}, {"lang": "es", "value": " D-Link - CWE-288: omisi\u00f3n de autenticaci\u00f3n mediante una ruta o canal alternativo"}], "id": "CVE-2024-38437", "lastModified": "2024-11-21T09:25:51.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cna@cyber.gov.il", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-21T08:15:06.243", "references": [{"source": "cna@cyber.gov.il", "tags": ["Third Party Advisory"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.gov.il/en/Departments/faq/cve_advisories"}], "sourceIdentifier": "cna@cyber.gov.il", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "cna@cyber.gov.il", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}