D-Link Technical Support

Home Support Forums Security Advisories Shop English | French

Support Announcement

DIR-860L Rev. Ax, DIR-865L Rev. Ax, DIR-868L Rev. Ax., and DIR-880L Rev Ax. :: XSS vulnerabilities and Unauthenticated Command Injection Vulnerability

Overview

On January 13, 2018 a 3rd party researcher contacted D-Link regarding two security issues that affect the DIR-860L Hardware Rev. Ax, DIR-865L Hardware Rev. Ax, DIR-868L Hardware Rev. Ax., and DIR-880L Hardware Rev Ax. To identify the hardware revision, please inspect the devices label on bottom of device.

We coordinated with the 3rd party researcher, patched and release new firmware for each of the affected models below.

3rd Party researcher

Kaixiang Zhang of Qihoo 360 Gear Team

Description of Security Issue:

CVE-2018-6527 XSS vulnerability in htdocs/webinc/js/adv_parent_ctrl_map.php allowing remote attackers to read a cookie via a crafted deviceid parameter to soap.cgi
- DIR-860L Rev. A
- DIR-865L Rev. A
- DIR-868L Rev. A

CVE-2018-6528 XSS vulnerability in htdocs/webinc/body/bsc_sms_send.php allowing remote attackers to read a cookie via a crafted receiver parameter to soap.cgi
- DIR-860L Rev. A
- DIR-865L Rev. A
- DIR-868L Rev. A
CVE-2018-6529 XSS vulnerability in htdocs/webinc/js/bsc_sms_inbox.php allowing remote attackers to read a cookie via a crafted Treturn parameter to soap.cgi
- DIR-860L Rev. A
- DIR-865L Rev. A
- DIR-868L Rev. A

CVE-2018-6530 OS command injection vulnerability in soap.cgi (soapcgi_main incgibin) allowing remote attackers to execute arbitrary OS commands via the service parameter
- DIR-860L Rev. A
- DIR-865L Rev. A
- DIR-868L Rev. A

This attack does require an authenticated user to the web-GUI configuration of the device. The web-GUI configuration interface is only available on the LAN-side of the device.

WAN-side access to the web-GUI configuration is default disabled, and D-Link does not ever recommend enabling this feature.

Affected Product Models and Patches:

   Model  Hardware Revision  Affected FW  Fixed FW   Last Updated  
  DIR-860L  All Revision A  v1.10b04 and older (lower)  v1.11b01Beta01  12/21/2018  
 DIR-865L  All Revision A  v1.07b01 and older (lower)  v1.10b01Beta01  12/21/2018  
 DIR-868L  All Revision A  v1.12b04 and older (lower)  v1.20b01Beta  12/21/2018  
 DIR-880L  All Revision A  v1.07b08 and older (lower)   v1.08b06Beta02  12/21/2018

Regarding Security patch for your D-Link Devices

Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.

Model	Hardware Revision	Affected FW	Fixed FW	Last Updated
DIR-860L	All Revision A	v1.10b04 and older (lower)	v1.11b01Beta01	12/21/2018
DIR-865L	All Revision A	v1.07b01 and older (lower)	v1.10b01Beta01	12/21/2018
DIR-868L	All Revision A	v1.12b04 and older (lower)	v1.20b01Beta	12/21/2018
DIR-880L	All Revision A	v1.07b08 and older (lower)	v1.08b06Beta02	12/21/2018