cnvd - cnvd-2018-26803

cnvd-2018-26803

Vulnerability from cnvd

Title: D-Link myDlink Baby App信息泄露漏洞

Description:

D-Link myDlink Baby App是友讯（D-Link）公司的一款用于管理控制D-Link婴儿监视器的应用程序。

D-Link myDlink Baby App2.04.06版本中存在信息泄露漏洞，该漏洞源于当使用该应用程序执行操作时（例如，修改摄像头设置或播放摇篮曲），程序用base64编码的明文凭证（用户名和密码）直接与Wi-Fi摄像头（采用1.08版本固件的D-Link 825L）通信，本地攻击者可通过实施中间人攻击利用该漏洞获取凭证。

Severity: 低

Formal description:

厂商尚未提供漏洞修复方案，请关注厂商主页更新： http://www.dlink.com/

Reference: https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vulnerabilities-in-baby-monitor/

Impacted products

Name
D-Link myDlink Baby App 2.04.06

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-18767"
    }
  },
  "description": "D-Link myDlink Baby App\u662f\u53cb\u8baf\uff08D-Link\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8e\u7ba1\u7406\u63a7\u5236D-Link\u5a74\u513f\u76d1\u89c6\u5668\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\n\nD-Link myDlink Baby App2.04.06\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53\u4f7f\u7528\u8be5\u5e94\u7528\u7a0b\u5e8f\u6267\u884c\u64cd\u4f5c\u65f6\uff08\u4f8b\u5982\uff0c\u4fee\u6539\u6444\u50cf\u5934\u8bbe\u7f6e\u6216\u64ad\u653e\u6447\u7bee\u66f2\uff09\uff0c\u7a0b\u5e8f\u7528base64\u7f16\u7801\u7684\u660e\u6587\u51ed\u8bc1\uff08\u7528\u6237\u540d\u548c\u5bc6\u7801\uff09\u76f4\u63a5\u4e0eWi-Fi\u6444\u50cf\u5934\uff08\u91c7\u75281.08\u7248\u672c\u56fa\u4ef6\u7684D-Link 825L\uff09\u901a\u4fe1\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5b9e\u65bd\u4e2d\u95f4\u4eba\u653b\u51fb\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u51ed\u8bc1\u3002",
  "discovererName": "unknown",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttp://www.dlink.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-26803",
  "openTime": "2018-12-27",
  "products": {
    "product": "D-Link myDlink Baby App 2.04.06"
  },
  "referenceLink": "https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vulnerabilities-in-baby-monitor/",
  "serverity": "\u4f4e",
  "submitTime": "2018-12-21",
  "title": "D-Link myDlink Baby App\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2018-18767 (GCVE-0-2018-18767)

Vulnerability from cvelistv5

Published

2018-12-20 22:00

Modified

2024-08-05 11:16

Severity ?

CWE

Summary

An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06. Whenever actions are performed from the app (e.g., change camera settings or play lullabies), it communicates directly with the Wi-Fi camera (D-Link 825L firmware 1.08) with the credentials (username and password) in base64 cleartext. An attacker could conduct an MitM attack on the local network and very easily obtain these credentials.

References

▼	URL	Tags
	https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vulnerabilities-in-baby-monitor/	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T11:16:00.386Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vulnerabilities-in-baby-monitor/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-11-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in D-Link \u0027myDlink Baby App\u0027 version 2.04.06. Whenever actions are performed from the app (e.g., change camera settings or play lullabies), it communicates directly with the Wi-Fi camera (D-Link 825L firmware 1.08) with the credentials (username and password) in base64 cleartext. An attacker could conduct an MitM attack on the local network and very easily obtain these credentials."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-12-20T21:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vulnerabilities-in-baby-monitor/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-18767",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in D-Link \u0027myDlink Baby App\u0027 version 2.04.06. Whenever actions are performed from the app (e.g., change camera settings or play lullabies), it communicates directly with the Wi-Fi camera (D-Link 825L firmware 1.08) with the credentials (username and password) in base64 cleartext. An attacker could conduct an MitM attack on the local network and very easily obtain these credentials."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vulnerabilities-in-baby-monitor/",
              "refsource": "MISC",
              "url": "https://dojo.bullguard.com/dojo-by-bullguard/blog/i-got-my-eyeon-you-security-vulnerabilities-in-baby-monitor/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-18767",
    "datePublished": "2018-12-20T22:00:00",
    "dateReserved": "2018-10-28T00:00:00",
    "dateUpdated": "2024-08-05T11:16:00.386Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted