Overview
In November 2018, D-Link becamea aware of a 3rd Party security researcher that accused the DIR-860L Hardware Rev. Bx and DIR-818LW Series Hardware Revision Bx consumer routers of a remote command injection vulnerability.
After an investigation, this vulnerability is only accessable via the local-network (LAN-side) of the router and not directly from the internet (WAN-side) since it requies access to the web browswer configuration of the router.
3rd Party Report:
MinGeun Kim :: pr0v3rbs _at_ kaist.ac.kr
Since this time, D-Link has dilegently investigate and patched several issues that were publically disclosed in the following CVE's.
Details
D-Link DIR-818LW Rev. B 2.05.B03 and DIR-860L Rev.B 2.03.B03 devices, unauthenticated remote OS command execution can occur in the soap.cgi service of the cgibin binary via an "&&" substring in the service parameter. NOTE: this issue exists because of an incomplete fix for CVE-2018-6530.
Affected Products and Fixes:
Model |
Revision |
Affected FW |
Fixed FW |
Last Updated |
DIR-818LW (white) |
All B revisions |
v2.05.B03 and Lower (older) |
v.2.06B01Beta |
01/04/2019
|
DIR-818LW/D (black) |
All B revisions |
v2.05.B03 and Lower (older) |
v.2.06B01Beta |
01/04/2019 |
DIR-818LW/R (red) |
All B revisions |
v2.05.B03 and Lower (older) |
v.2.06B01Beta |
01/04/2019 |
DIR-818LW/T (teal) |
All B revisions |
v2.05.B03 and Lower (older) |
v.2.06B01Beta |
01/04/2019 |
DIR-860L |
All B revisions |
v2.03.B03 and Lower (older)
|
v.2.04B04Beta01 |
01/04/2019 |
Regarding Security patch for your D-Link Devices
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.