Support Announcements
CVE-2014-8361 - Realtek SDK miniigd : Authentication Bypass - Remote Code Execution

Overview

There is a vulnerability in a RealTek SDK, which allowed unauthenticated remote code execution.
 
References

Discovered by Ricky "HeadlessZeke" Lawshae
Zero Day Initiative Disclosure Link
CVE Link
 
Description

The miniigd service fails to properly sanitize user input on it's NewInternalClient function before performing a system call.  A malicious user could craft a request which would lead to the device executing arbitrary code of the attacker's choosing.


Affected Product
 

Model Name

HW Version

Vulnerable Software

Vulnerable FW Version

New FW Version for this exploit fix

DIR-501 A1 (US only) miniigd v1.08 1.01B04 and older

FW A1: 1.04B02

FW A1 Release Notes: Link


(Updated: 05/12/2015)

DIR-515 A1 (US only) miniigd v1.08 1.01B04 and older

FW A1: 1.03B01

FW A1 Release Notes: Link


(Updated: 05/12/2015)

DIR-600L

A1/B1

miniigd v1.08

A1: 1.15 and older
B1: 2.056B06 and older

FW A1: 1.16B01

FW A1 Release Notes: Link

FW B1: 2.07B01

FW B1 Release Notes: Link


(Updated: 05/12/2015)

DIR-605L A1/Bx/C1 miniigd v1.08

A1: 1.14B06 and older
Bx: 2.07B02 and older

C1: 3.03B07 and older

FW A1 World Wide: 1.16B01

FW A1 World Wide Release Notes: Link

FW A1 China: 1.15B01

FW A1 China Release Notes: Link

FW B1: 2.08B02

FW B1 Release Notes: Link

FW C1: 3.04B01

FW C1 Release Notes: Link


(Updated: 05/12/2015)

DIR-615

Fx

J1 (China Only)

Fx: miniigd v1.07

J1: miniigd v1.08

Fx:  6.06B03 and older

J1: 10.01B02

FW Fx: 6.07B01

FW Fx Release Notes: Link

FW J1: 10.02B01

FW J1 Release Notes: Link


(Updated: 05/12/2015)

DIR-619L A1/B1 miniigd v1.08 A1: 1.15 and older
B1: 2.07B02 and older

FW A1 World Wide: 1.15B01

FW A1 World Wide Release Notes: Link

FW A1 China: 1.16B01

FW A1 China Release Notes: Link

FW B1: 2.06B01

FW B1 Release Notes: Link


(Updated: 05/11/2015)

DIR-809 A1/A2 miniigd v1.07 1.04B02 and older FW A1/A2: 1.05B01

FW A1/A2 Release Notes: Link


(Updated: 05/15/2015)

DIR-900L A1 miniigd v1.08 1.14B02 and older

FW A1: 1.15B01

FW A1 Release Notes: Link


(Updated: 05/12/2015)

DIR-905L A1/B1 (Brazil Only) miniigd v1.08 2.05B01 and older

FW A1: 1.15B01

FW A1 Release Notes: Link

FW B1: 2.06B02

FW B1 Release Notes: Link


(Updated: 05/12/2015)



Security patch for your D-Link Devices
 
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.