Overview
This announcement is an extension of a third-party report involving the DIR-859 Rev. Ax. D-Link confirmed and released patches j(HERE) for this report, and it has public disclosure as CVE-2019-17621 (HERE) and CVE-2019-20213 (HERE).
On November 5, 2019, the same third party reported their original report and related public disclosure of CVE-2019-20215 (HERE), CVE-2019-20216 (HERE), and CVE-2019-20217 (HERE) may also involve other devices which D-Link also discovered and confirmed through its security process:
- DIR-818Lx Bx firmware v2.05b03_Beta08
- DIR-822 Cx firmware v3.12b04
- DIR-822 Bx firmware v2.03b01
- DIR-823 Ax firmware v1.00b06_Beta
- DIR-859 Ax firmware v1.06b01_Beta01
- DIR-865L Ax firmware v1.07.b01
- DIR-868L Ax firmware v1.12b04
- DIR-868L Bx firmware v2.05b02
- DIR-869 Ax firmware v1.03b02_Beta02
- DIR-880L Ax firmware v1.08b04
- DIR-890L Ax firmware v1.11b01_Beta01
- DIR-885L Ax firmware v1.12b05
- DIR-895L Ax firmware v1.12b10
The original security vulnerability, filed under CVE-2019-17621 and CVE-2019-20213, the DIR-859 Rev. Ax device firmware may allow a malicious user an unauthenticated, remote command execution on the device's LAN-Side (in-home) connections. Additional related research filed under CVE-2019-20215, CVE-2019-20216, and CVE-2019-20217 reported unauthenticated command execution in the device firmware via the device's ssdpcgi() CGI interpreter.
Many of the models listed in this security-related reports have reached their End of Support (“EOS”) / End of Life (“EOL”) Life-cycle dates. As a general policy, when the product reaches EOS/EOL, it can no longer be supported, and all firmware development for the product ceases, except in certain unique situations. In these EOS/EOL exceptional cases, D-Link was able to provide a Firmware Beta Patch Release after the EOS/EOL Date. Please see the information and recommendations below.
D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.
Third-Party Report
Miguel Mendez Z. — (s1kr10s) - Research Center at Telefónica Chile
Pablo Pollanco — (secenv) - Research Center at Telefónica Chile
CVE-ID Public Disclosure
- CVE-2019-17621 UPnP /gena.cgi in the D-Link DIR-859 firmware v1.05 &v1.06B01 Beta01 allows an unauthenticated command execution
- CVE-2019-20213 D-Link DIR-859 firmware v1.07b03_beta allows unauthenticated information disclosure
- CVE-2019-20215 D-Link DIR-859 firmware v1.05 & v1.06B01 Beta01 devices allow unauthenticate command execution
- CVE-2019-20216 D-Link DIR-859 firmware v1.05 & v1.06B01 Beta01 devices allow unauthenticate command execution
- CVE-2019-20217 D-Link DIR-859 firmware v1.05 & v1.06B01 Beta01 devices allow unauthenticate command execution
Affected Products
There is a mix of End-Of-Service Life products and active Life-Cycle products regarding this security issue. Please see below for End-of-Service Life products.
For active products to close this, you can download the patch and upgrade it through the device's web-configuration GUI.
| Model |
HW Rev. |
Region |
Affected FW |
Fixed FW |
Recommendation |
Info Last Update |
EoS/EoL Info
|
| DIR-818Lx |
All Bx Revisions |
US |
v2.05b03_Beta08 & older
|
v2.06b02 Hotfix
|
Please download & upgrade |
01/20/2020 |
Legacy |
| DIR-822 |
All Bx Revisions |
Non-US |
v2.03b01 & older
|
v2.04b02beta01 Hotfix |
Please download & upgrade |
01/22/2020 |
Not Applicable |
| DIR-822 |
All Cx Revisions |
US |
v3.12b04 & older
|
v3.15b03 Hotfix |
Please download & upgrade |
11/22/2019 |
None/Active SKU |
| DIR-823 |
All Ax Revisions |
Non-US |
v1.00b06_Beta & older
|
v1.03b03betab01 Hotifx
|
Please download & upgrade |
12/27/2019 |
Not Applicable |
| DIR-859 |
All Ax Revisions
|
US |
v1.06b01Beta01 & older
|
v1.07b03 beta Hotfix
|
Please download & upgrade
|
11/23/2019 |
Legacy |
| DIR-865L |
All Ax Revisions
|
US |
v1.07b01 & older |
EOL / Not Supported |
Please See Below |
11/23/2019 |
Legacy |
| DIR-868L |
All Ax Revisions
|
US |
v1.12b04 & older |
v1.20b07 Hotfix |
Please download & upgrade |
12/06/2019 |
Legacy |
| DIR-868L |
All Bx Revisions
|
Non-US |
v2.05b02 & older |
v2.20b02beta01 Hotfix
|
Please download & upgrade |
12/18/2019 |
Not Applicable |
| DIR-869 |
All Ax Revisions |
US |
v1.03b02Beta02 & older |
v1.04b03beta01 Hotfix |
Please download & upgrade |
12/23/2019 |
None/Active SKU |
| DIR-880L |
All Ax Revisions |
US |
v1.08b04 & older |
v1.20b03beta01 Hotfix |
Please download & upgrade |
01/06/2020 |
Legacy |
| DIR-890L/R |
All Ax Revisions |
US |
v1.11b01_Beta01 & older |
v1.21b04_Hotfix |
Please download & upgrade |
01/13/2020 |
Legacy |
| DIR-885L/R |
All Ax Revisions |
US |
v1.12b05 & older |
v1.21b03_Hotfix |
Please download & upgrade |
12/09/2019 |
Legacy |
| DIR-895L/R |
All Ax Revisions |
US |
v1.12b10 & older |
v1.21b05_Hotfx |
Please download & upgrade |
12/16/2019 |
Legacy |
Note: Some routers must be updated twice to close this security issue. If you download the fixed firmware, and there are two firmware .BIN files in the ZIP-file, then the two-step update is required. First, update the device from the Device Web-GUI using {Model-Device-Firmware} _middle_STEP_01.bin. Second, update the device from the device from the Web-GUI using {Model-Device-Firmware_STEP_02}.bin.
Recommendation for End of Support Life Products
From time to time, D-Link will decide that some of its products have reached End of Support ("EOS") / End of Life ("EOL"). D-Link may choose to EOS/EOL an effect due to the evolution of technology, market demands, innovations, product efficiencies based on new technologies, or the product matures over time and should be replaced by functionally superior technology.
For US Consumer
If a product has reached End of Support ("EOS") / End of Life ("EOL"), there is usually no further extended support or development for it. Once a product reaches its EOL/EOS date, all files post regarding the devices are moved to https://legacy.us.dlink.com/ as the final information archive for the device..
Typically for these products, D-Link will not resolve device or firmware issues since all development and customer support have ceased.