Support Announcements
DIR-600 B1 / DIR-615 J1 / DIR-645 A1 / DIR-815 A1 / DIR-823 A1 / DIR-842 C1 / DIR-890L A1 :: CVE-2019-18852 :: Accused of hardcoded telnet credentials

 Overview 

 

A recent report indicates that the DIR-600 HW B1 FW V2.01 for WW, DIR-890L HW A1 FW v1.03, DIR-615 HW J1 FW v100 (for DCN), DIR-645 HW A1 FW v1.03, DIR-815 HW A1 FWv1.01, DIR-823 HW A1 FW v1.01, and DIR-842 HW C1 FW v3.00 of carrying hard-coded telnet credentials filed under CVE-2019-18852, .

 

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. 

   

Disclosure   

 

    CVE-2019-18852

          - Github: Linked-Here

          - NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-18852

          - Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18852

   
Affected Products

 

There is a mix of End-Of-Service Life products and active products regarding this security issue.  Please see below for End-of-Service Life products.

 

For active products to close this you can download the patch and upgrade the device through the device web-configuration GUI. Some recent product like the

DIR-842 and DiR-890L/R have features that allow them to be upgraded directly from their Web-GUI or through D-Link's WIFI mobile applications.

 

Model HW Rev. Region Affected FW Fixed FW Current FW Recommendation Info Last Update
DIR-600 All HW Rev Bx  US V2.01 and below Not Available End of Life Please See Recommendation Below
12/1/2010
DIR-615 All HW Rev Jx  Non-US v100 and below Not Available End of Life Please See Recommendation Below 12/18/2019
DIR-645 All HW Rev Ax US v1.03 and below Not Available End of Life Please See Recommendation Below 12/31/2018
DIR-815 All HW Rev Ax US v1.01 and below v1.04b04_Beta01 End of Life Please See Recommendation Below 12/29/2017
DIR-815 All HW Rev Ax Non-US v1.01 and below v1.04b04_Beta01 - Update via Device Web-GUI 12/18/2019
DIR-823  All HW Rev Ax  Non-US  v1.01 and below

 v1.03WWb01

- Update via Device Web-GUI 12/18/2019
DIR-842  All HW Rev Cx  US v3.00 and below v3.13b09Beta_jbma  - Update via Device Web-GUI 12/18/2019
DIR-890L/R  All HW Rev Ax  US  v1.03 and below v1.09b05 v1.21b02Beta Update via Device Web-GUI 07/24/2018

 

 

Security patch for your D-Link Devices


This firmware is an update security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install this relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.

 

 

Recommendation for End of Service Life Products

 

While D-Link is aware of the alleged vulnerabilities involving the DIR-600 Rev. B1 / DIR-615 Rev. J1 / DIR-645 Rev. A1 / DIR-815 Rev. A1 these products have reached End of Life(EoL)/End of Support(EoS) and there is no longer support or development for them. Once a product is past EoL/EoS date, which states on it's product support page or has been transferred to https://legacy.us.dlink.com/,

 

D-Link will be unable to resolve Device or Firmware issues since all development and customer support has ceased.


From time to time, D-Link will decide that certain of its products have reached EoL. D-Link may choose to EoL a product for many reasons, including shift in market demands, technology innovation, costs or efficiencies based on new technologies, or the product simply matures over time and is replaced by functionally superior technology.

 

Once a product is identified as EoL, D-Link will provide the dates for which the support and service for that product will no longer be available.

 

For US consumers, D-Link recommends this product be retired, any further use maybe a risk to devices connected to it and end-users connected to it. If US consumers, continue to use the product against D-Link's recommendation, please make sure the device has the most recent firmware from https://legacy.us.dlink.com/, installed, make sure you frequently update the device's unique password to access it's web-configuration, and always have WiFI encryption enabled with a unique password.

 

While this is an established part of a product’s overall life cycle, D-Link understands that EOL of a product may affect an end-user’s decision to continue to use the product. The chart in the link below outlines D-Link's EOL Policy to help customers better manage their end-of-life transition and to help D-Link better understand its role in helping our customers migrate to alternative D-Link products and technology.

 

D-Link’s End-of-Life Policy can be found here: https://support.dlink.com/EndOfLifePolicy.aspx