• Home Support Forums Security Advisories Shop     English | French
Support Announcement
DAP-1533 Rv Ax, DGL-5500 Rv Ax, DHP-1565 Rv Ax, DIR-130 Rv Ax, DIR-330 Rv Ax, DIR-615 Rv Ix, (non-US) DIR-652 Rv Bx, DIR-655 Rv Cx, DIR-825 Rv Cx, DIR-835 Rv Ax, DIR-855L Rv Ax, (non-US) DIR-862 Rv Ax, DIR-866L Rv Ax :: CVE-2019-16920 :: Unauthenticated Remote Code Execution (RCE) Vulnerability

Overview


Cybersecurity company Fortinet recently disclosed some vulnerabilities in D-Link’s DIR-866, DIR-655, DHP-1565, (Non-US) DIR-652 that could allow a malicious user to access the devices web-configuration without credentials. D-Link is aware of the reported security issue and investigated immediately.

 

On October 23, 2019, we were notified by a seperate 3rd party security researcher which accused additional models of the same issue listed here:  DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L, (non-US) DIR-862.

 

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.

 

Disclosure

  

    - Thanh Nguyen: nguyent _at_ fortinet _dot_ com

                           :: https://fortiguard.com/zeroday/FG-VD-19-117

     -  CVE-2019-16920 :: https://nvd.nist.gov/vuln/detail/CVE-2019-16920

 

 

Affected Products

 

The following D-Link model's, sold in the United States, unless otherwise noted were reported in this 3rd party disclosure.

 

US Products

 

 

- DAP-1533 Hardware Revision Ax :: Firmware 1.02B and below (older)

- DGL-5500 Hardware Revision Ax :: Firmware 1.13b04 and below (older)

- DIR-130    Hardware Revision Ax :: Firmware 1.23b20 and below (older)

- DIR-330    Hardware Revision Ax :: Firmware 1.23b18 and below (older)

- DIR-615    Hardware Revision Ix  :: Firmware 9.04NAb02 and below (older)

- DIR-655    Hardware Revision Cx :: Firmware 3.02b05 and below (older)

- DIR-825    Hardware Revision Cx :: Firmware 3.02 and below (older)

- DIR-835   Hardware Revision Ax :: Firmware 104b02Beta01 and below (older)

- DIR-855L Hardware Revision Ax :: Firmware 1.03b01 and below (older)

- DIR-866L Hardware Revision Ax :: Firmware 1.03b04 and below (older)

- DHP-1565 Hardware Revision Ax :: Firmware 1.01 and below (older)

 

Non-US Products :: Please consult your regional support site

 

- DIR-652   Hardware Revision Bx :: Firmware 2.00B40 and below (older)

- DIR-862   Hardware Revision Ax :: Firmware 1.02 and below (older)

 

Recommendations

 

While D-Link is aware of the alleged vulnerabilities involving the DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L, and DIR-862, these products have reached End of Life(EoL)/End of Support(EoS) and there is no longer support or development for them. Once a product is past EoL/EoS date, which states on it's product support page or has been transferred to https://legacy.us.dlink.com/,

 

D-Link will be unable to resolve Device or Firmware issues since all development and customer support has ceased.


From time to time, D-Link will decide that certain of its products have reached EoL. D-Link may choose to EoL a product for many reasons, including shift in market demands, technology innovation, costs or efficiencies based on new technologies, or the product simply matures over time and is replaced by functionally superior technology.

 

Once a product is identified as EoL, D-Link will provide the dates for which the support and service for that product will no longer be available.

 

For US consumers, D-Link recommends this product be retired, any further use maybe a risk to devices connected to it and end-users connected to it. If US consumers, continue to use the product against D-Link's recommendation, please make sure the device has the most recent firmware from https://legacy.us.dlink.com/, installed, make sure you frequently update the device's unique password to access it's web-configuration, and always have WiFI encryption enabled with a unique password.

 

While this is an established part of a product’s overall life cycle, D-Link understands that EOL of a product may affect an end-user’s decision to continue to use the product. The chart in the link below outlines D-Link's EOL Policy to help customers better manage their end-of-life transition and to help D-Link better understand its role in helping our customers migrate to alternative D-Link products and technology.

 

D-Link’s End-of-Life Policy can be found here: https://support.dlink.com/EndOfLifePolicy.aspx