Overview
On October 15, 2019, D-Link became aware of CVE-2019-17508 that accuses the DIR-859 Rev.Ax and DIR-850L Rev. Ax having an Unauthenticated Command Injection Security Vulnerability. D-Link has investigated the report, cofirms the issue, and has released patches to close the security vulnerabilitiy.
D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.
Disclosure
CVE-2019-17508 : D-Link DIR-859 Ax v1.06 and DIR-850 Ax v1.13 devices, /etc/services/DEVICE.TIME.php allows command injection via the $SERVER variable.
- https://github.com/dahua966/Routers-vuls/tree/master/DIR-859
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17508
- https://www.cvedetails.com/cve/CVE-2019-17508/
Affected Products
Currently, the following D-Link brand devices are affected and the following patches are available for upgrading:
| Model |
HW Rev. |
Region |
Affected FW |
Fixed FW |
Current FW |
Recommendation |
Info Last Update |
| DIR-859 |
All Ax Revs
|
US |
v1.06 & older |
v1.07b03_jbli |
v1.07b03_jbli |
Released
|
12/23/2019 |
| DIR-850L |
All Ax Revs
|
US |
v1.13 & older |
v1.21WWb07 |
v1.21WWb07 |
Released
|
12/23/2019 |
Security patch for your D-Link Devices
This firmware is an update security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install this relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.