Overview
In November 28, 2018, D-Link becamea aware of a 3rd Party security researcher that accused the DCS-5020L Hardware Rev. Ax of a command injection vulnerability in the web-GUI.
After an investigation, this vulnerability is only accessable via the local-network since the cameras Web-GUI only responds on the same subnet was the PC Host web-browser. and not directly from the internet (WAN-side))
3rd Party Report:
Evan Walls :: Link to Contact
Details
Note: The exploit requires credentials to be successful.
There exists an authenticated buffer overflow vulnerability in the accused cameras that can be exploited by malicious users. It occurs when a large string is passed in the WEPEncryption parameter provided to wireless.htm. The variable is expected to be a single character of some value between 0 and 4 based on radio buttons selected by the user. Because of this assumption the length of the string is never verified and passed directly to strcpy() which copies directly to a stack variable. This overwrite can be used to gain control of the return address and possible to execute arbitrary code.
Affected Products and Fixes:
| Model |
Revision |
Affected FW |
Fixed FW |
Last Updated |
| DCS-930L |
All B revisions |
v2.16.01 and below (older) |
v2.17.00 Recommend Mydlink Mobile App to Update Firmware |
05/08/2019
|
| DCS-931L |
All A revisions |
v1.14.11 and below (older) |
v1.15.01 Recommend Mydlink Mobile App to Update Firmware |
05/08/2019 |
| DCS-932L |
All B revisions |
v2.17.01 and below (older) |
v2.18.01 Recommend Mydlink Mobile App to Update Firmware |
05/08/2019 |
| DCS-933L |
All A revisions |
v1.14.11 and below (older) |
v1.15.01 Recommend Mydlink Mobile App to Update Firmware |
05/08/2019 |
| DCS-934L |
All A revisions |
v1.05.04 and below (older)
|
v1.07.01 Recommend Mydlink Mobile App to Update Firmware |
05/08/2019 |
| DCS-5009L |
All A revisions |
v1.08.11 and below (older) |
v1.10.01 Recommend Mydlink Mobile App to Update Firmware |
06/28/2019 |
| DCS-5010L |
All A revisions |
v1.14.09 and below (older) |
v1.16.01 Recommend Mydlink Mobile App to Update Firmware |
05/08/2019 |
| DCS-5020L |
All A revisions |
v1.15.12 and below (older) |
v1.16.01 Recommend Mydlink Mobile App to Update Firmware |
06/28/2019 |
| DCS-5025L |
All A revisions |
v1.03.07 and below (older) |
v1.04.02 Recommend Mydlink Mobile App to Update Firmware |
06/13/2019 |
| DCS-5030L |
All A revisions |
v1.04.10 and below (older) |
v1.06.00 Recommend Mydlink Mobile App to Update Firmware |
05/08/2019 |
Regarding Security patch for your D-Link Devices
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
Tto help better protect devices from security attacks, malware, and ransomware:
1.. Do not connect these devices directly to the Internet and/or port-forward services directly from the Internet.
2. Keep device firmware up-to-date.
3. Any computer accessing information on these devices should have appropriate anti-virus protection and malware protection enabled
4. Regular back-ups of stored information on these devices should occur in case a disaster recovery is needed.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.