Central WiFiManager (CWM-100) - Multiple vulnerability disclosed - Fix released

05 октомври, 2018

On October 4, 2018, it was disclosed that D-Link's Central WiFi Manager software (CWM-100), was found to contain multiple security vulnerabilities.

 

The D-Link Central WiFiManager software controller helps network administrators streamline their wireless access point (AP) management workflow. Central WiFi Manager is an innovative approach to the more traditional hardware-based multiple access point management system. It uses a centralised server to both remotely manage and monitor wireless APs on a network. Whether deployed on a local computer or hosted on a public cloud service, Central WiFi Manager can be easily integrated into existing networks in conjunction with supporting D-Link wireless APs, to help eliminate existing bottlenecks for wireless traffic.

 

Report Accreditation:

 

These vulnerabilities were discovered and researched by Julian Muñoz from Core Security Consulting Services.

The publication of advisory was coordinated by Leandro Cuozzo from Core Advisories Team.

 

Disclosure Report:

 

Disclosure available:  https://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities

  

  • 7.1. Unauthenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type [CVE-2018-17440]
  • 7.2. Authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type [CVE-2018-17442]
  • 7.3. Cross-Site Scripting in the application site name parameter [CVE-2018-17443]
  • 7.4. Cross-Site Scripting in the creation of a new user [CVE-2018-17441]

 

Affected Products:

 

This disclosure directly affects the software package and current installations should be update with the new released available to download below. Failure to update may put this software package, the host computer it runs on, and D-Link devices that it manages at risk.

 

Solution/Patch/Fix:

 

Affected Product Affected Version Corrected Version Last Updated
CWM-100 :: D-Link Central WiFi Manager Ver. 1.03 for Windows Ver. 1.03R0100- Beta6 10/04/2017

 

Security Patches

 

These updates address the security vulnerabilities in affected D-Link software package. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

To update we recommend saving your configuration, uninstall the old package, then install the new update.