Support Announcements
DIR-600M Rev. Cx :: Non-US Product :: F/W Ver. 3.04 / 3.05 / 3.06 :: Command Bypass and XSS security vulnerabilities

Overview

 

In April 30, 2019, D-Link becamea aware of a 3rd Party security researcher that accused the DIR-600m Hardware Rev. Cx of a Authentication bypass and Cross-Site Scripting (XSS) security vulnerabilities in the web-GUI.

  

3rd Party Report:

  

 

Details

 

 1. Login Authentication  bypass.

-- Access "http://192.68.0.1/wan.htm" will bypass the login page and directly get access to the setup page of the router.

 
2. XSS issue:
-- Using script below, results in an Cross-Site Scripting vulnerability that could be used to further exploit device

<ScRiPt>alert("Dlink XSS");</ScRipT>
<script>ALERT("Dlink XSS");</script>
"/><ScRiPt>alert("Dlink XSS");</ScRipT> 

 

Affected Products and Fixes:

 

Model Revision Affected FW Fixed FW  Last Updated
DIR-600M All C revisions v.3.06 and below (older)  v.3.08

06/06/2019

 

 

Regarding Security patch for your D-Link Devices
 
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

Tto help better protect devices from security attacks, malware, and ransomware:

1.. Do not connect these devices directly to the Internet and/or port-forward services directly from the Internet.

2. Keep device firmware up-to-date.

3. Any computer accessing information on these devices should have appropriate anti-virus protection and malware protection enabled

4. Regular back-ups of stored information on these devices should occur in case a disaster recovery is needed.

 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.