Overview
On December 18, 2019, D-Link US became aware by 3rd party accusing the DGS-1250 series of being susceptible to a HTTP header injection vulnerability enabling an attacker to reveal the switch configuration.
This security-related issue is verified, and firmware patches to correct the issue are under development
3rd Party Report information
- Harry Sintonen, harry.sintonen _at_ f-secure _dot_ com
Senior Security Consultant, Cyber Security Products & Services F-Secure Corp.
- Public Disclosure :
https://sintonen.fi/advisories/d-link-dgs-1250-header-injection.txt
Recommendations
Once a firmware correction is issued, we will update this announcement, and recommend to update the firmware.
Before and after the patch is available we do recommend the following:
- This infrastructure switch should never have its management interface accessible to the internet.
- The web-management of these infrastructure devices itself should be configured IP sub-network that is blocked/filtered/VLAN from communicating with the Internet IP sub-network.
- Do not leave the default password, always update the password to be complex (Alpha-numeric minimum) and unique.
- Once configured to your environment, please keep off-line back-ups of the device's configuration.
- Set a maintenance schedule to updated passwords and check for the latest firmware with no less than 90-day frequency.