Overview
D-Link was presented with a report of three potential vulnerabilities in DIR-820L by a third-party who conducted security penetration tests. As part of D-Link’s continuing efforts of resolving security issues, D-Link expanded its investigation to DIR-626L/DIR-636L/DIR-808L/DIR-810L/DIR-826L/DIR-830L/DIR-836L. First vulnerability reportedly relates to a malicious user who might be be connected to the LAN-side of the device to use the devices upload utility to load malicious code without authentication. A second vulnerability reportedly relates to the device’s ping utility that might permit command injection without authentication. A third vulnerability reportedly may exploit certain chipset utilities in firmware to potentially permit a malicious user an attack disclosing information about the devices configuration
References
Peter Adkins :: <peter.adkins@kernelpicnic.net> :: Link :: Initially January 11, 2015
Swisscom CSIRT :: CVE-2015-1187 :: Link / Packet Storm :: Link Initially March 2, 2015
Description
A reference or a link to the original report by the third-party author is provided above. This third-party’s report is not created by D-Link. We encourage you to reference the third-party’s original post and contact the author if you have any questions about the vulnerability.
Please note these vulnerabilities may present potential LAN-Side or in-home risks. The affected devices have a feature, which is default off/disabled, that allows remote administrative access. If the user turns this feature on/enabled, they may potentially put the device at risk to these attacks from the outside/internet.
In addition, some of these reported vulnerabilities require observing a LAN-Side user or tricking a user browser to gain access. To observe a user configuring the device, requires access to your home network or the use of other security exploits of other home network devices, like your personal computer, tablets, mobile phones, not related to the device.
1) Local network; unauthenticated access
a) Uploading malicious code that unchecked by fwupgrade.ccp
b) Command Injection of malicious code that is unchecked by ping.ccp
c) Command injection of malicious code using chipset vendor included SDK utilities embedded in firmware resulting in information disclosure of device configuration
2) Remote network; unauthenticated access
- 1a, 1b, 1c can be used by a malicious user if end-user enabled remote configuration, which is default is disabled
3) Remote network; 'drive-by' via CSRF.
- 1a, 1b, 1c attacks can be attempted if a malicious user can obtain access to the LAN-Side of the device or trick the user's browser to attack the device from the LAN-side.
Recommendations
Disable remote administrative access and/or verify the device’s remote administrative access feature is disabled.
Check router device history for any unauthorized access.
All devices on your network should have log-in credentials and if your network has WiFi, please make sure WiFi encryption-keys are enabled. Also for devices that cannot notify the owner of a new software updates, check for updates from the devices manufacture.
Immediately update to the fixed firmware referenced in the table below as they are made available. Please continue to monitor this page for further updates and disclourses.
D-Link recommends that your D-Link router remote network management feature be disabled (factory default is disabled) to mitigate a malicious remote user using this vulnerability to exploit your router. If remote network management is disabled, a malicious user would require to be on the local network side of the router or have compromised another device on the network that could be used to attack the router.
D-Link recommends that all PCs (Window or Mac) be up-to-date and scanned for virus, bots, or other damaging software that could compromise the network they are connected.
WiFi encryption reduces the risk to this vulnerability if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption, or PC using the Web-GUI utility, in order to monitor the traffic and intercept the cookie.
The default configuration of D-Link's routers is to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems (D-Link US) reminds customers to configure their devices specifically to and for security concerns within their network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enabling WiFi encryption, monitoring the routers log files, and access-lists for your devices so security risks for your entire network are minimized.
Affected Product
|
Model Name
|
HW Version
|
Vulnerable FW Versions
|
Current FW Versions (include fixes)
|
| DIR-626L |
Ax |
v1.04b04_Beta and before |
Released: Rev Ax v1.05b01 Worldwide
|
| DIR-636L |
Ax |
v1.04 and before |
Released: Rev Ax v1.05b09 Worldwide
|
| DIR-651 |
Ax |
v1.10NAb02 and before |
For devices purchased in US please contact DUS customer care: 1 (877) 453-5465 |
|
DIR-808L
|
Ax
Bx
|
Rev Ax v1.03b05 and before
Rev Bx Not Affected
|
Released: Rev Ax v1.04b01 Worldwide
Unaffected: Rev Bx
|
|
DIR-810L
|
Ax
Bx
|
Rev. Ax v1.01b04 and before
Rev. Bx v2.02b01 and before
|
Released: Rev Ax v1.03b01 Worldwide
Released: Rev Bx v2.04b01 Worldwide
|
|
DIR-820L
|
Ax
Bx
|
Rev. Ax v1.05B03 and before
Rev Bx v2.01b02 and before
|
Released: Rev Ax v1.06b01 Worldwide
Released: Rev Ax v1.02b01 China
Released: Rev Bx v2.03b01 Worldwide
Released: Rev Bx v2.02b01 China
|
|
DIR-826L
|
Ax
|
Rev. Ax. v1.00b23 and before
|
Released: Rev Ax v1.06b01 Worldwide
|
|
DIR-830L
|
Ax
|
Rev. Ax v1.00b07 and before
|
Released: Rev Ax v1.01b02 Worldwide
|
|
DIR-836L
|
Ax
|
Rev. v1.01b03 and before
|
Released: Rev Ax v1.04b11 Worldwide |
Security patch for your D-Link Devices
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.