Overview  

In December 2018, D-Link becamea aware of a 3rd Party security researcher that accused the COVR-2600R, the router device included with the COVR-3902 Kit, of having hard-coded passwords located in it's firmware. D-Link Immediately investigated since new extended QA testing, deisgned to discover hard-coded credentials performed on the firmware prior to shipment. D-Link found that the accused firmware was approved prior to implementation of our new testing, however subdequent release were corrected, the report was confirmed and a patch released. 

3rd Party Report: 

Arjun Basnet of CSW Research Lab :: disclose _at_  cybersecurityworks _dot_ com

CVE-2018-20432: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20432

NIST : https://nvd.nist.gov/vuln/detail/CVE-2018-20432

Details

Please Contact CSW Research Lab for detailed report on how they discovered the credentials.

In addition to this report this firmware includes addtional fixes for bugs and security issues discovered from the previously released fimrware.

Affected Products and Fixes:

This firmware update does require a two step update.  The new firmware final firmware is encrypted. In order to perform the upgrade,users should load COVR-2600R_FW101b05beta_firmwareencryption_20190107_middle.bin,  then load the final firmware COVR-2600R_FW101b05beta_firmwareencryption_20190107.bin.