D-Link engineers have been working intensively to address the vulnerability reported in the network application interface, which occurs when malicious data is injected via the DCP protocol.
On the claim of the 120 models - D-Link has not yet confirmed the list of models affected by this vulnerability. It doesn't affect all mydlink-enabled devices because not all have the DCP protocol installed. mydlink Cloud enabled routers, APs, and modems are safe from this vulnerability.
As part of general, ongoing improvement to our Cloud device interfaces, the DCP protocol command targeted by this vulnerability was already scheduled for removal from our mydlink devices. That process will be ongoing into next month.
As we will make them available on our mydlink service for automatic upgrade or via the mydlink support website for manual upgrading the devices
To benefit from security updates, it is essential that customers regularly review all of the devices on their network to check that each device is running the latest firmware. We also recommend that customers use strong passwords, and that they change these passwords regularly. Advice on how to check and update firmware on D-Link devices can be found here: http://support.dlink.com
D-Link engineers have been working intensively to address the vulnerability reported in the network application interface, which occurs when malicious data is injected into the DCP protocol.The DCP protocol, is a legacy protocol to handle communication within the mydlink service and devices.
Regarding the report on 120 models - This was incorrectly stated.
- Only specific DCS-xxxL, DCS-xxxxL, and DNR-xxxL models are affected. Please see list below.
- mydlink Cloud enabled routers (DIR models), APs (DAP models), and modems are not affected by this this vulnerability.
Internal research by our R&D and further help by 3rd party network/software security experts has discovered a number of issues that need to be addressed in the mydlink devices. We are continuelly updating our products and this particular next version of software for the products will address:
- UID agent
- Change the HTTPs self-signed certificate to SHA2 algorithms.
- Support Mydlink UID mechanism (mdb get dev_uid)
- Updated OpenSSL to v0.9.8o
- Remove mDNSResponder/Bonjour
- Add password protection to console port (Console’s Password is synchronized with the admin’s password)
- Add authentication to CGI /config/stream_info.cg
- Fixed the “RSA-CRT key leaks” vulnerability.
- Fixed the “LANDAP stack overflow“ vulnerability.
- Remove the “Arbitrary file upload interface” vulnerability.
- Support CSRF protection for Web pages
- Remove DCP protocol command
The first products will begin to get updates by July 19th and we will continue to update devices in the priority of numbers registered though the end of 2016.
Pease note in order to engineer a malicious attack, a user needs to be on the same local network as the camera which minimizes risks. The devices should be used as intended, behind a firewall/router/gateway in the home
Status of Affected Categories of Products : Camera and NVR
- DCS-930L : Revision Bx :: Patched F/W V2.14.04 :: Upgrade via Mobile App. or mydlink.com support page.
- DCS-931L : Revision Ax :: Patched F/W V1.14.11 :: Upgrade via Mobile App. or mydlink.com support page.
- DCS-932L : Revision Bx :: Patched F/W V2.14.04 :: Upgrade via Mobile App. or mydlink.com support page.
- DCS-933L : Revision Ax :: Patched F/W V1.14.11 :: Upgrade via Mobile App. or mydlink.com support page.
- DCS-934L : Revision Ax :: Patched F/W V1.05.04 :: Upgrade via Mobile App. or mydlink.com support page.
- DCS-936L : Not Affected
- DCS-942L : Revision Ax :: Under Research
- DCS-942L : Revision Bx :: Patched F/W V2.12.04 :: Upgrade via Mobile App. or mydlink.com support page.
- DCS-960L : Revision Ax :: Patched F/W V1.04.02 : Upgrade via Mobile App. or mydlink.com support page.
- DCS-1100/1130 Revision Ax :: Under Research
- DCS-1100L/1130L Revision Ax :: Under Research
- DCS-2132L : Revision Ax :: Patched F/W V1.08.03 : Upgrade via Mobile App. or mydlink.com support page
- DCS-2132L : Revision Bx :: Patched F/W V2.13.03 : Upgrade via Mobile App. or mydlink.com support page
- DCS-2136L : Revision Ax :: Patched F/W V1.04.03 : Upgrade via Mobile App. or mydlink.com support page.
- DCS-2210L : Revision Ax :: Scheduled to be released April 10, 2017
- DCS-2230L : Revision Ax :: Scheduled to be released April 10, 2017
- DCS-2310L : Revision Ax :: Patched F/W V1.08.03 : Upgrade via Mobile App. or mydlink.com support page
- DCS-2310L : Revision Bx :: Patched F/W V.2.04.02 : Upgrade via Mobile App. or mydlink.com support page.
- DCS-2330L : Revision Ax :: Patched F/W V1.14.03 : Upgrade via Mobile App. or mydlink.com support page.
- DCS-2332L : Revision Ax :: Patched F/W V1.08.03 : Upgrade via Mobile App. or mydlink.com support page.
- DCS-2530L : Not Affected
- DCS-2630L : Revision Ax :: Patched F/W V1.04.00 :: Upgrade via Mobile App. or mydlink.com support page.
- DCS-5000L : Revision Ax :: Scheduled 06/2017
- DCS-5009L : Revision Ax :: Patched F/W V1.08.11 :: Upgrade via Mobile App. or mydlink.com support page.
- DCS-5010L : Revision Ax :: Patched F/W V1.14.09 :: Upgrade via Mobile App. or mydlink.com support page.
- DCS-5020L : Revision Ax :: Patched F/W V1.14.09 :: Upgrade via Mobile App. or mydlink.com support page.
- DCS-5211L : Revision Ax :: Under Research
- DCS-5025L : Revision Ax :: Scheduled 07/2017
- DCS-5222L : Revision Ax :: Under Research
- DCS-5222L : Revision Bx :: Patched F/W V.2.04.04 :: Upgrade via Mobile App. or mydlink.com support page.
- DCS-5030L : Not Affected
- DCS-6010L : Revision Ax :: Patched F/W V1.15.03 :: Upgrade via Mobile App. or mydlink.com support page.
- DCS-6045L : Revision Ax :: Under Research
- DCS-7010L : Revision Ax :: Scheduled to be released April 10, 2017
- DCS-825L : : Revision Ax : Patched F/W for DCS-825L :: Upgrade via Mobile App. for Baby Cameras
- DCS-700L : : Revision Ax : Scheduled 06/2017
- DCS-800L : : Revision Ax : Scheduled 07/2017
- DCS-850L :: Revision Ax : Scheduled 07/2017
- DNR-202L : Revision Ax :: Patched F/W V2.04.03 :: Upgrade via Mobile App. or mydlink.com support page.
- DNR-312L : Revision Ax :: Patched F/W V1.06.07:: Upgrade via Mobile App. or mydlink.com support page.
- DNR-322L : : Revision Ax :: Under Research
- DNR-322L :: Revision Bx :: Patched F/W V.3.01.04 :: Upgrade via Mobile App. or mydlink.com support page.
As soon as there are further updates, we will make them available on our mydlink service for automatic notification/upgrade via our mobile applications or via our support website for manual download.
To benefit from security updates, it is essential that customers regularly review all of the devices on their network to check that each device is running the latest firmware. We also recommend that customers use strong passwords, and that they change these passwords regularly. Advice on how to check and update firmware on D-Link devices can be found here: https://www.mydlink.com/download.