Overview

On December 18, 2019, D-Link US became aware by 3rd party accusing the DGS-1250 series of being susceptible to a HTTP header injection vulnerability enabling an attacker to reveal the switch configuration.

This security-related issue is verified, and firmware patches to correct the issue are under development

3rd Party Report information

          - Harry Sintonen, harry.sintonen _at_ f-secure _dot_ com

            Senior Security Consultant, Cyber Security Products & Services F-Secure Corp.

          - Public Disclosure :

            https://sintonen.fi/advisories/d-link-dgs-1250-header-injection.txt

Recommendations

Once a firmware correction is issued, we will update this announcement, and recommend to update the firmware. 

Before and after the patch is available we do recommend the following:

1. This infrastructure switch should never have its management interface accessible to the internet.
2. The web-management of these infrastructure devices itself should be configured IP sub-network that is blocked/filtered/VLAN from communicating with the Internet IP sub-network.
3. Do not leave the default password, always update the password to be complex (Alpha-numeric minimum) and unique.
4. Once configured to your environment, please keep off-line back-ups of the device's configuration.
5. Set a maintenance schedule to updated passwords and check for the latest firmware with no less than 90-day frequency.