D-Link DCS Series Cameras Insecure CrossDomain.XML Configuration (CVE-2017-7852)

Key Information Overview Announcement ID: QSA-2017-02-22 Announcement Date: February 22, 2017 Vulnerability Name: Insecure CrossDomain.XML in D-Link DCS Series Cameras Vulnerability Description: - D-Link DCS series network cameras contain a weak or insecure CrossDomain.XML file, allowing websites hosting malicious Flash objects to access and/or modify device settings. Reference Link: https://web.archive.org/web/20170222172704/http://us.dlink.com/product-category/home-solutions/view/network-cameras/ CVE Identifier: CVE-2017-7852 Vendor Response: - In 2016, we implemented CSRF mitigations on all camera CGIs, thus preventing similar injections via unauthenticated or unverified methods. - Please refer to the tracking table at the bottom of the report, which includes H/W revisions and firmware versions where CSRF mitigations were implemented. Lab Setup: - Target Camera: DCS-933L, Firmware Version 1.03 - Target IP Address: 10X.X.X.X - Malicious Flash Object Hosting Site: http://Maliciousxxxx.com - Camera Settings Sent To: http://MyMaliciousSite.com Affected/Tested Firmware Versions: DCS-933L running firmware version 1.03 is affected. The latest firmware for this device, as well as other devices such as DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, DCS-932LB1, etc., all include the same file with weak or improper configuration.

Goal Reached Thanks to every supporter — we hit 100%!

D-Link DCS Series Cameras Insecure CrossDomain.XML Configuration (CVE-2017-7852)