Overview
On March 18, 2017, D-Link became aware that a 3rd party researcher accusing the DCS-936L of Inadequate CSRF protection mechanism in early firmware versions 1.02.01 and lower (older).
Upon investigation, D-Link verified the report, verified the fix, and coordinated a public disclosure with the 3rd party as CVE-2017-7851.
D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.
Disclosure
3rd party researcher
Kapil Khot :: kkhot _at_ qualys _dot_ com
CVE-2017-7851
https://www.qualys.com/2017/03/26/qsa-2017-03-26/qsa-2017-03-26.pdf
https://cxsecurity.com/cveshow/CVE-2017-7851/
https://packetstormsecurity.com/files/145036/D-Link-DCS-936L-Cross-Site-Request-Forgery.html
Affected Products
Currently, D-Link is aware that the following D-Link brand devices may be affected:
Model |
HW Rev. |
Affected FW |
Fixed FW |
Recommendation |
Info Last Update |
DCS-936L |
All HW Rev A |
v1.02.01 and below |
v1.05.07 |
Use mydlink Mobile Apps to update |
11/17/2017 |
Recommendations
To mitigate the risks, we strongly encourage our users to do the following:
- Ensure you have checked your local customer care support site (In US: support.dlink.com) to get the latest firmware available for your device.
Security patch for your D-Link Devices
This firmware is an update security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install this relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.