Support Announcements
DGS-1250 :: FW v1.00.040 & v1.x Below / v2.01.006 & v2.x Below :: HTTP header injection vulnerability to Configuration Disclosure

Overview


On December 18, 2019, D-Link US became aware by 3rd party accusing the DGS-1250 series of being susceptible to a HTTP header injection vulnerability enabling an attacker to reveal the switch configuration.

This security-related issue is verified, and firmware patches to correct the issue are under development


3rd Party Report information


          - Harry Sintonen, harry.sintonen _at_ f-secure _dot_ com

            Senior Security Consultant, Cyber Security Products & Services F-Secure Corp.


          - Public Disclosure :

            https://sintonen.fi/advisories/d-link-dgs-1250-header-injection.txt

    

Recommendations

 

Once a firmware correction is issued, we will update this announcement, and recommend to update the firmware. 

 

Before and after the patch is available we do recommend the following:

  

  1. This infrastructure switch should never have its management interface accessible to the internet.
  2. The web-management of these infrastructure devices itself should be configured IP sub-network that is blocked/filtered/VLAN from communicating with the Internet IP sub-network.
  3. Do not leave the default password, always update the password to be complex (Alpha-numeric minimum) and unique.
  4. Once configured to your environment, please keep off-line back-ups of the device's configuration.
  5. Set a maintenance schedule to updated passwords and check for the latest firmware with no less than 90-day frequency.