Support Announcements
Response to D-Link some legacy Routers (DWR-Series, DIR-640L, DIR-140L) afffected by sequenced Command Execution security vulnerabilities.

Overview:

 

On October 12, 2018, a 3rd-Party security researcher from Silesian University of Technology pubically disclosed three vulnerabilities that maybe used in combination to gain configuration access to some D-Link products.

 

D-Link is aware of the report alledged by the 3rd-party, and are in the process validating the claims stated in the report.

 

D-Link believes the 3rd-Party did misrepresent the vulnerabilities by broadly using the term "remote".  The attacks described in the 3rd-Party Report require the device to respond to HTTP requests.  These services are not available on the WAN-port (meaning Internet connection side) of D-Link Devices as default.  This means that the attacks described in the report are limited to the LAN-side (Local or In-home connections) which narrows the potential threat since the attack would need to start from a malicous user connected to the device on the LAN-side

 

D-Link will continue to investigate and release updated information as it becomes available..

 

3rd-Party Report:

 

Blazej Adamczyk (br0x)  :: Silesian University of Technology

 

Tyler Cui <tyler.cui () live com>

 

Vulnerability Summary:

  1. Directory Traversal in httpd server
  2. Password stored in plaintext 
  3. Shell command injection in httpd server
  4. Unathenticated Credential Disclosure

 

Accused Products:

 

Model  Status Sold In US H/W Ver. Region  Affected Firmware Ver. Current Status Updated
DWR-111  End of Life No :: Non-US Rev. A1  Non-US   v. 1.01 and lower  v1.02B02  11/05/18
DWR-116

 End of Life

No :: Non-US Rev. A2 Europe v1.06b02 and lower  v1.06b03  Patch for Vulnerability #2
10/26/18
DWR-116  End of Life No :: Non-US Rev. A2 Australia & Others v1.06b02 and lower  v1.06b01_AU 10/26/18
DWR-512  End of Life No :: Non-US Rev. Bx  Non-US   v. 2.02 and lower  v2.02B01  10/26/18
DWR-712  End of Life No :: Non-US Rev. Bx  Non-US   v. 2.02 and lower  v2.04B01  10/26/18
DWR-912

Not a D-Link Product

- - - - - 10/26/18
DWR-921  End of Life No :: Non-US  Rev. A1 Non-US   v. 1.02 and lower  v1.02B01 10/26/18
DWR-921 End of Life No :: Non-US Rev. B1 Non-US v. 2.02 and lower  v2.03B01  
DIR-140L End of Life Yes All  US  v. 1.02B02 and lower  For US Consumers Please Contact rma_requests@dlink.com  10/26/18
DIR-640L End of Life Yes All  US  v. 1.02B02 and lower  For US Consumers Please Contact rma_requests@dlink.com  10/26/18
DSL-2770L End of Life No :: Non-US All Non-US

v, ME_1.02 and lower

v, AU_1.06 and lower

For ME please contact D-Link Middle East

For AU please contact D-Link Australia

 

 

Regarding Security patch for your D-Link Devices
 
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.