Support Announcements
DCS-930L:: HW Rev. Bx :: FW v1.14.04 ::: CSRF in FTP Feature, Improper Cross Domain Policy, and DDoS Vulnerability

Overview

On September 6, 2017, a 3rd party accused the DCS-930L of multiple vulnerabilities.  The functionality for configuring an devices FTP feature to upload camera images has been verified to be vulnerable to CSRF.  Denial of Service attack vectors found in the devices /cgi-bin/upload.cgi and /cgi-bin/upload_settings.cgi. A misconfigurred cross-domain policy for the Adobe Flash Player used to view videos in a browser.  Please use your mydlink mobile application to up date to the latest firmware, or go to mydlink.com for alternative instructions.


3rd Party Report information

 

         Robin Stenvi :: robin.stenvi _at_ protonmail _dot_com

 

 

 Affected Models

 

Model Hardware Revision Affected FW Fixed FW Recommendation  Last Updated
DCS-930L All Bx Hardware Revisions v1.14.04  & Below v1.15.06 Please use mydlink mobile app to updated 01/23/2018

  

Regarding Security patch for your D-Link Devices
 
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.