Overview:
On October 12, 2018, a 3rd-Party security researcher from Silesian University of Technology pubically disclosed three vulnerabilities that maybe used in combination to gain configuration access to some D-Link products.
D-Link is aware of the report alledged by the 3rd-party, and are in the process validating the claims stated in the report.
D-Link believes the 3rd-Party did misrepresent the vulnerabilities by broadly using the term "remote". The attacks described in the 3rd-Party Report require the device to respond to HTTP requests. These services are not available on the WAN-port (meaning Internet connection side) of D-Link Devices as default. This means that the attacks described in the report are limited to the LAN-side (Local or In-home connections) which narrows the potential threat since the attack would need to start from a malicous user connected to the device on the LAN-side
D-Link will continue to investigate and release updated information as it becomes available..
3rd-Party Report:
Blazej Adamczyk (br0x) :: Silesian University of Technology
Tyler Cui <tyler.cui () live com>
Vulnerability Summary:
- Directory Traversal in httpd server
- Password stored in plaintext
- Shell command injection in httpd server
- Unathenticated Credential Disclosure
Accused Products:
| Model |
Status |
Sold In US |
H/W Ver. |
Region |
Affected Firmware Ver. |
Current Status |
Updated |
| DWR-111 |
End of Life |
No :: Non-US |
Rev. A1 |
Non-US |
v. 1.01 and lower |
v1.02B02 |
11/05/18 |
| DWR-116 |
End of Life
|
No :: Non-US |
Rev. A2 |
Europe |
v1.06b02 and lower |
v1.06b03 Patch for Vulnerability #2
|
10/26/18 |
| DWR-116 |
End of Life |
No :: Non-US |
Rev. A2 |
Australia & Others |
v1.06b02 and lower |
v1.06b01_AU |
10/26/18 |
| DWR-512 |
End of Life |
No :: Non-US |
Rev. Bx |
Non-US |
v. 2.02 and lower |
v2.02B01 |
10/26/18 |
| DWR-712 |
End of Life |
No :: Non-US |
Rev. Bx |
Non-US |
v. 2.02 and lower |
v2.04B01 |
10/26/18 |
| DWR-912 |
Not a D-Link Product
|
- |
- |
- |
- |
- |
10/26/18 |
| DWR-921 |
End of Life |
No :: Non-US |
Rev. A1 |
Non-US |
v. 1.02 and lower |
v1.02B01 |
10/26/18 |
| DWR-921 |
End of Life |
No :: Non-US |
Rev. B1 |
Non-US |
v. 2.02 and lower |
v2.03B01 |
|
| DIR-140L |
End of Life |
Yes |
All |
US |
v. 1.02B02 and lower |
For US Consumers Please Contact rma_requests@dlink.com |
10/26/18 |
| DIR-640L |
End of Life |
Yes |
All |
US |
v. 1.02B02 and lower |
For US Consumers Please Contact rma_requests@dlink.com |
10/26/18 |
| DSL-2770L |
End of Life |
No :: Non-US |
All |
Non-US |
v, ME_1.02 and lower
v, AU_1.06 and lower
|
For ME please contact D-Link Middle East
For AU please contact D-Link Australia
|
|
Regarding Security patch for your D-Link Devices
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.