Support Announcements
DCS-936L :: Rev. Ax :: CVE-2017-7851 :: Inadequate CSRF protection mechanism

Overview  

 

On March 18, 2017, D-Link became  aware that a 3rd party researcher accusing  the DCS-936L of Inadequate CSRF protection mechanism in early firmware versions 1.02.01 and lower (older).

 

Upon investigation, D-Link verified the report, verified the fix, and coordinated a public disclosure with the 3rd party as CVE-2017-7851.

 

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. 

   

Disclosure   

 

     3rd party researcher
     Kapil Khot :: kkhot _at_ qualys _dot_ com

 

     CVE-2017-7851

      https://www.qualys.com/2017/03/26/qsa-2017-03-26/qsa-2017-03-26.pdf

      https://cxsecurity.com/cveshow/CVE-2017-7851/

      https://packetstormsecurity.com/files/145036/D-Link-DCS-936L-Cross-Site-Request-Forgery.html

   
Affected Products

 

Currently, D-Link is aware that the following D-Link brand devices may be affected:

 

Model HW Rev. Affected FW Fixed FW Recommendation Info Last Update
DCS-936L All HW Rev A v1.02.01 and below v1.05.07 Use mydlink Mobile Apps to update 11/17/2017

 
 

Recommendations


To mitigate the risks, we strongly encourage our users to do the following:

 

     - Ensure you have checked your local customer care support site (In US: support.dlink.com) to get the latest firmware available for your device.

 

 

Security patch for your D-Link Devices


This firmware is an update security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install this relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.