Overview
On April 7, 2019 a 3rd party contacted D-Link accusing the DWL-2600AP of multiple command Injection vulnerability with Hardware Rev. A with F/W 4.2.0.13, and later verified with current F/W 4.2.0.15. To identify the hardware revision, please inspect the devices label on bottom of device or device information in your DWS unified wireless controller.
3rd Party Information
Raki Ben Hamouda :: raki7bh _at_ gmail _dot_ com
CVE-2019-20499 : Authenticated command injection vulnerability via the Restore Configuration functionality in the Device's Web interface
CVE-2019-20500 : Authenticated command injection vulnerability via the Save Configuration functionality in the Device's Web interface
CVE-2019-20501 : Authenticated command injection vulnerability via the Upgrade Configuration functionality in the Device's Web interface :
C-Security :: Link to Post
Packet Storm :: Link to Post
Description of Security Issue:
Authenticated vulnerabilities affecting the save, restore, upgrade functions in the GUI. We refer you tothe authors public posts linked above for further details.
Affected Product Models and Patches:
| Model | Hardware Revision | Affected FW | Patch/Beta FW | Full Release FW | Last Updated |
| DWL-2600AP | Revision A | 4.2.0.15 and older (lower) | v4.2.0.15b001c | v4.2.0.17 | 03/09/2020
|
Regarding Security patch for your D-Link Devices
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.