• Home Support Forums Security Advisories Shop     English | French
Support Announcement
DSR-150, DSR-250(N), DSR-500(N),1000(N) & DWC-1000 Authentication Bypass, Arbitrary Command Execution, persistent admin user, weak hash algorithms, credentials stored in plain-text, UPnP stack vulnerabilities, and bad local-file system permissions.

Overview

 

The D-Link DSR-150/150N/250/250N/500/500N/1000/1000N business service routers are under security incident advisory  for multiple vulnerabilites. Exploiting these vulnerabilities could result in data being compromised and the system to be unrellaible and untrusted in a live production network.

 

D-Link Security Incident Reponse Policy

 

All public communication on this issue will be offered at http://securityadvisories.dlink.com/security/

Our security response team can be contacted for incident information or to report incidents at security@dlink.com

Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.

 

Reference

  • CVE-2013-5945: Authentication Bypass by SQL-Injection - Link
  • CVE-2013-5946: Privilege Escalation by Arbitrary Command Execution - Link
  • CVE-2012-5958, CVE-2012-5959, CVE-2012-5961,CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965 - UPnP Vulnerabiliteis - Link
  • Persistent admin credentials resulting in a backdoor access - Link
    • CVE-2012-6613 D-Link DSR-250N devices with firmware 1.05B73_WW and before will allow Persistent Root Access Link Link
    • CVE-2012-6614 D-Link DSR-250N devices with firmware 1.08B31 and before authenticated users to obtain "persistent root access" via the BusyBox CLI Link Link
  • Use of weak hash algorithms  - Link
  • Passwords are stored as plain text in config files - Link
  • Vulnerability: Bad permissions on /etc/shadow - Link

 

General Disclosure

 

Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.  We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link product.

 

Immediate Recommendations for all D-Link device customers

 

  • If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
  • Make sure that your wireless network is secure.
  • Do not provide your admin password to anyone. If required we suggest updating the password frequently.

 

Details

 

The D-Link DSR-150/150N/250/250N/500/500N/1000/1000N  are suceptible to multiple vulnerabilities that may allow mallicious attacker access to the device, modify it's configuration, and change features to benefit further exploits. Exploiting these vulnerabilities could result in data being compromised and the system to be unrellaible and untrusted in a live production network.

 

Affected Products

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DSR-150

A1

V1.07 and lower
DSR-150 A2 V1.07 and lower
DSR-150N A2 V1.04 and lower
DSR-250 A1 V1.07 and lower
DSR-250 A2 V1.07 and lower
DSR-250N A1

V1.07 and lower

1.05B73_WW (non-US)
and lower
DSR-250N A2 V1.07 and lower
DSR-500 Ax V1.07 and lower
DSR-500N Ax V1.07 and lower
DSR-1000 Ax V1.07 and lower
DSR-1000N Ax V1.07 and lower
DWC-1000 Ax v4.2.0.3 and lower

 

Security patches for your D-Link Product

 

These firmware updates address the security vulnerabilities in affected D-Link products. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.