Support Announcements
DIR-860L Rev. Ax, DIR-865L Rev. Ax, DIR-868L Rev. Ax., and DIR-880L Rev Ax. :: XSS vulnerabilities and Unauthenticated Command Injection Vulnerability

Overview

 

On January 13, 2018 a 3rd party researcher contacted D-Link regarding two security issues that affect the DIR-860L Hardware Rev. Ax, DIR-865L Hardware Rev. Ax, DIR-868L Hardware Rev. Ax., and DIR-880L Hardware Rev Ax.  To identify the hardware revision, please inspect the devices label on bottom of device. 

 

We coordinated with the 3rd party researcher, patched and release new firmware for each of the  affected models below.

 

3rd Party researcher

 

Kaixiang Zhang of Qihoo 360 Gear Team

 

Description of Security Issue:

 

 

  • CVE-2018-6527 XSS vulnerability in htdocs/webinc/js/adv_parent_ctrl_map.php allowing remote attackers to read a cookie via a crafted deviceid parameter to soap.cgi
    • DIR-860L Rev. A
    • DIR-865L Rev. A
    • DIR-868L Rev. A
    •  
  • CVE-2018-6528 XSS vulnerability in htdocs/webinc/body/bsc_sms_send.php allowing remote attackers to read a cookie via a crafted receiver parameter to soap.cgi
    • DIR-860L Rev. A
    • DIR-865L Rev. A
    • DIR-868L Rev. A

    •  
  • CVE-2018-6529 XSS vulnerability in htdocs/webinc/js/bsc_sms_inbox.php allowing remote attackers to read a cookie via a crafted Treturn parameter to soap.cgi
    • DIR-860L Rev. A
    • DIR-865L Rev. A
    • DIR-868L Rev. A
    •  
  • CVE-2018-6530 OS command injection vulnerability in soap.cgi (soapcgi_main incgibin) allowing remote attackers to execute arbitrary OS commands via the service parameter
    • DIR-860L Rev. A
    • DIR-865L Rev. A
    • DIR-868L Rev. A

 

This attack does require an authenticated user to the web-GUI configuration of the device.  The web-GUI configuration interface is only available on the LAN-side of the device.

 

WAN-side access to the web-GUI configuration is default disabled, and D-Link does not ever recommend enabling this feature.

 

Affected Product Models and Patches:

 

Model Hardware Revision Affected FW Fixed FW  Last Updated
DIR-860L All Revision A v1.10b04 and older (lower) v1.11b01Beta01

12/21/2018

DIR-865L All Revision A v1.07b01 and older (lower) v1.10b01Beta01

12/21/2018

DIR-868L All Revision A v1.12b04 and older (lower) v1.20b01Beta

12/21/2018

DIR-880L All Revision A v1.07b08 and older (lower)  v1.08b06Beta02 12/21/2018

 

 
Regarding Security patch for your D-Link Devices
 
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.