Support Announcements
DIR-605L Rev. B (FW: 2.12B1) & DIR-619L Rev. B (FW: 2.06B1) :: LAN-Siee Vulnerabile to Buffer Overflow and Command Injection

Overview

 

On December 4, 2018,  a 3rd Party security researcher accused the DIR-605L Hardware Revision B and DIR-619L Hardware Revision B  of  CVE-2018-20056: Stack Buffer Overflow Vulnerability and CVE-2018-20057: Authenticated Remote Command Execution

After an investigation, these vulnerabilities are confirmed however only accessable via the local-network (LAN-side) of the router and not directly from the internet (WAN-side) since it requies access to the web browswer configuration of the router.

 

D-Link is aware of the public disclosure of CVE-2018-20056 and CVE-2018-20057 from 360 ESG CodeSafe Team involving the DIR-605L and DIR-619L.

  

3rd Party Report:

 

360 ESG CodeSafe Team

 

 

Since this time, D-Link has dilegently investigate and patched several issues that were publically disclosed in the following CVE's.

 

Details

 

CVE-2018-20056: An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. There is a stack-based buffer overflow allowing remote attackers to execute arbitrary code without authentication via the goform/formLanguageChange currTime parameter.

 

CVE-2018-20057:An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. goform/formSysCmd allows remote authenticated users to execute arbitrary OS commands via the sysCmd POST parameter.

 

Affected Products and Fixes:

 

Model Revision Affected FW Fixed FW  Last Updated
DIR-605L All B revisions v2.12B01 and Lower (older) v2.12B03Beta01

01/04/2019

DIR-619L All B revisions v2.06B01 and Lower (older)
v2.06B02Beta01 01/04/2019

 

 

Regarding Security patch for your D-Link Devices
 
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.