Support Announcements
DIR-865L :: Rev. Ax :: CVE-2013-4857 CVE-2013-4856 CVE-2013-4855 :: Privilege Escalation, Information Disclosure, Directory Traversal

Overview

 

 

On October 25, 2019 in D-Link’s model DIR-865L was accused by a 3rd party by publishing old CVE-id that D-Link was not aware. Three CVE's were disclosed:


     - CVE-2013-4857: D-Link DIR-865L router_info.xml privilege escalation
     - CVE-2013-4856: D-Link DIR-865L bsc_lan.php information disclosure
     - CVE-2013-4855: D-Link DIR-865L SMB Symlink directory traversal


Once D-Link was aware of the reported security issue and investigated immediately. The firmware had been fixed and released at time of the CVE disclosure.
 

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.

 

Disclosure

 

    - https://www.ise.io/casestudies/exploiting-soho-routers/

     - https://www.ise.io/soho_service_hacks/

 

 

Affected Products

 

The D-Link DIR-865L, sold in the United States, unless otherwise noted were reported in this 3rd party disclosure.

 

 Model  HW Rev.  Region  Affected FW Fixed FW  Current FW Recommendation  Info Last Update
 DIR-865L  All Ax Revisions

 US

 v1.03 and below v1.07b01  v1.20b01  Please See Recommendations Below 10/25/2019


 

Recommendations

 

While D-Link is aware of the alleged vulnerabilities involving the DIR-865L, has reached End of Life(EoL)/End of Support(EoS) and there is no longer support or development for them. Once a product is past EoL/EoS date, which states on it's product support page or has been transferred to https://legacy.us.dlink.com/,

 

D-Link will be unable to resolve Device or Firmware issues since all development and customer support has ceased.


From time to time, D-Link will decide that certain of its products have reached EoL. D-Link may choose to EoL a product for many reasons, including shift in market demands, technology innovation, costs or efficiencies based on new technologies, or the product simply matures over time and is replaced by functionally superior technology.

 

Once a product is identified as EoL, D-Link will provide the dates for which the support and service for that product will no longer be available.

 

For US consumers, D-Link recommends this product be retired, any further use maybe a risk to devices connected to it and end-users connected to it. If US consumers, continue to use the product against D-Link's recommendation, please make sure the device has the most recent firmware from https://legacy.us.dlink.com/, installed, make sure you frequently update the device's unique password to access it's web-configuration, and always have WiFI encryption enabled with a unique password.

 

While this is an established part of a product’s overall life cycle, D-Link understands that EOL of a product may affect an end-user’s decision to continue to use the product. The chart in the link below outlines D-Link's EOL Policy to help customers better manage their end-of-life transition and to help D-Link better understand its role in helping our customers migrate to alternative D-Link products and technology.

 

D-Link’s End-of-Life Policy can be found here: https://support.dlink.com/EndOfLifePolicy.aspx