Support Announcements
Regarding Senr.io Vulnerability Information Updates

D-Link engineers have been working intensively to address the vulnerability reported in the network application interface, which occurs when malicious data is injected via the DCP protocol.

 

On the claim of the 120 models - D-Link has not yet confirmed the list of models affected by this vulnerability. It doesn't affect all mydlink-enabled devices because not all have the DCP protocol installed. mydlink Cloud enabled routers, APs, and modems are safe from this vulnerability.

As part of general, ongoing improvement to our Cloud device interfaces, the DCP protocol command targeted by this vulnerability was already scheduled for removal from our mydlink devices. That process will be ongoing into next month.

 

As we will make them available on our mydlink service for automatic upgrade or via the mydlink support website for manual upgrading the devices

 

         To benefit from security updates, it is essential that customers regularly review all of the devices on their network to check that each device is running the latest firmware. We also recommend that customers use strong passwords, and that they change these passwords regularly. Advice on how to check and update firmware on D-Link devices can be found here: http://support.dlink.com

 

D-Link engineers have been working intensively to address the vulnerability reported in the network application interface, which occurs when malicious data is injected into the DCP protocol.The DCP protocol, is a legacy protocol to handle communication within the mydlink service and devices. 

 

Regarding the report on 120 models - This was incorrectly stated.

  • Only specific DCS-xxxL, DCS-xxxxL, and DNR-xxxL models are affected. Please see list below.
  • mydlink Cloud enabled routers (DIR models), APs (DAP models), and modems are not affected by this this vulnerability.

 

Internal research by our R&D and further help by 3rd party network/software security experts has discovered a number of issues that need to be addressed in the mydlink devices.  We are continuelly updating our products and this particular next version of software for the products will address:

 

  • UID agent
  • Change the HTTPs self-signed certificate to SHA2 algorithms.
  • Support Mydlink UID mechanism (mdb get dev_uid)
  • Updated OpenSSL to v0.9.8o
  • Remove mDNSResponder/Bonjour
  • Add password protection to console port (Console’s Password is synchronized with the admin’s password)
  • Add authentication to CGI /config/stream_info.cg
  • Fixed the “RSA-CRT key leaks” vulnerability.
  • Fixed the “LANDAP stack overflow“ vulnerability.
  • Remove the “Arbitrary file upload interface” vulnerability.
  • Support CSRF protection for Web pages
  • Remove DCP protocol command  

 

The first products will begin to get updates by July 19th and we will continue to update devices in the priority of numbers registered though the end of 2016.

 

Pease note in order to engineer a malicious attack, a user needs to be on the same local network as the camera which minimizes risks. The devices should be used as intended, behind a firewall/router/gateway in the home

 

Status of Affected Categories of Products : Camera and NVR 

 

  • DCS-930L : Revision Bx :: Patched F/W V2.14.04 :: Upgrade via Mobile App. or mydlink.com support page.
  • DCS-931L  : Revision Ax :: Scheduled to be released March 15, 2017
  • DCS-932L :: Revision Bx :: Patched F/W V2.14.04 :: Upgrade via Mobile App. or mydlink.com support page.
  • DCS-933L  : Revision Ax :: Patched F/W V1.14.11 :: Upgrade via Mobile App. or mydlink.com support page.
  • DCS-934L :  Revision Ax :: Patched F/W V1.05.04 :: Upgrade via Mobile App. or mydlink.com support page.
  • DCS-936L :: Not Affected
  • DCS-942L :  : Revision Ax :: Pending as of March 13, 2017 :: Revision Bx :: Scheduled to be released March 31, 2017
  • DCS-960L :: Revision Ax :: Patched F/W V1.04.02 :: Upgrade via Mobile App. or mydlink.com support page.
  • DCS-1100/1130/1100L/1130L : Pending as of March 13, 2017
  • DCS-2132L : Revision Ax :: Patched F/W V1.08.03 :: Revision Bx :: Patched F/W V.2.13.03 :: Upgrade via Mobile App. or mydlink.com support page
  • DCS-2136L : Revision Ax :: Patched F/W V1.04.03 :: Upgrade via Mobile App. or mydlink.com support page.
  • DCS-2210L : Revision Ax :: Scheduled to be released April 28, 2017
  • DCS-2230L : Revision Ax :: Scheduled to be released
  • DCS-2310L : Revision Ax :: Patched F/W V1.08.03 :: Revision Bx :: Patched F/W V.2.04.02 :: Upgrade via Mobile App. or mydlink.com support page.
  • DCS-2330L :  Revision Ax :: Patched F/W V1.14.03 :: Upgrade via Mobile App. or mydlink.com support page.
  • DCS-2332L : Revision Ax :: Patched F/W V1.08.03 :: Upgrade via Mobile App. or mydlink.com support page.
  • DCS-2530L : Not Affected
  • DCS-2630L : Revision Ax :: Patched F/W V1.04.00 :: Upgrade via Mobile App. or mydlink.com support page.
  • DCS-5009L : Revision Ax :: Scheduled to be released Mach 22, 2017
  • DCS-5010L :: Revision Ax :: Patched F/W V1.14.09 :: Upgrade via Mobile App. or mydlink.com support page.
  • DCS-5020L :: Revision Ax :: Patched F/W V1.14.09 :: Upgrade via Mobile App. or mydlink.com support page.
  • DCS-5211L : Revision Ax :: Pending as of March 13, 2017
  • DCS-5025L : Revision Ax :: Pending as of March 13, 2017
  • DCS-5222L : : Revision Ax :: Pending as of March 13, 2017 :: Revision Bx :: Patched F/W V.2.04.04 :: Upgrade via Mobile App. or mydlink.com support page.
  • DCS-5030L : Not Affected
  • DCS-6010L : Revision Ax :: Patched F/W V1.15.03 :: Upgrade via Mobile App. or mydlink.com support page.
  • DCS-6045L : Revision Ax :: Pending as of March 13, 2017
  • DCS-7010L : Revision Ax :: Scheduled to be released 04/28/17
  • DCS-8xxL Baby Cameras :: Pending as of March 13, 2017 for DCS-700L/800L/820L/850L/855L :: Patched F/W for DCS-825L :: Upgrade via Mobile App. for Baby Cameras
  • DNR-202L : Revision Ax :: Patched F/W V2.04.03 :: Upgrade via Mobile App. or mydlink.com support page.
  • DNR-312L : Revision Ax :: Patched F/W V1.06.07:: Upgrade via Mobile App. or mydlink.com support page.
  • DNR-322L : : Revision Ax :: Pending as of March 13, 2017 :: Revision Bx :: Patched F/W V.3.01.04 :: Upgrade via Mobile App. or mydlink.com support page.


As soon as there are further updates, we will make them available on our mydlink service for automatic notification/upgrade via our mobile applications or via our support website for manual download.

 

To benefit from security updates, it is essential that customers regularly review all of the devices on their network to check that each device is running the latest firmware. We also recommend that customers use strong passwords, and that they change these passwords regularly. Advice on how to check and update firmware on D-Link devices can be found here:  https://www.mydlink.com/download.