CVE-2018-12103

Vulnerability

The vulnerability resides in the web configuration login CAPTCHA feature of D-Link DIR-890L (firmware 1.21B02beta01 and earlier), DIR-885L/R (firmware 1.21B03beta01 and earlier), and DIR-895L/R (firmware 1.21B04beta04 and earlier) devices, across all hardware revisions. The CAPTCHA images are served at predictable URIs following the pattern /docs/captcha_(number).jpeg, where the number is sequential and easily enumerable. This predictability allows an attacker to disclose and select specific CAPTCHAs without authentication [1].

Exploitation

An attacker must be connected to the local network (LAN) of the affected access point but does not need to be authenticated to the administrator panel. By sending requests to the predictable CAPTCHA URIs, the attacker can enumerate all available CAPTCHA images, choose a specific one, and then load that CAPTCHA during a login attempt. This bypasses the intended randomness of the CAPTCHA feature, enabling repeated or automated login attempts with a known CAPTCHA [1].

Impact

Successful exploitation allows the attacker to bypass the CAPTCHA security improvement on the login page. However, the attacker still requires valid administrator credentials to gain access to the device. Therefore, the impact is limited to weakening the login security; the CAPTCHA no longer provides an additional barrier against brute-force or automated attacks. The severity is lowered because the attacker cannot gain access without credentials [1].

Mitigation

As of the advisory publication date (November 16, 2018), D-Link was investigating a solution but had not released a fixed firmware version. No workarounds were provided. Users are advised to monitor D-Link's security advisory page for updates. Until a fix is available, the CAPTCHA feature may be disabled if possible, though this is not explicitly recommended by the vendor [1].