Support Announcements
(non-US) DSL-2680 :: Rev. Ax :: EU_1.03 :: CVE-2019-19222/19223/19224/19225/19226 :: Multiple Vulnerabilities :: Product is End of Support

A October 15, 2019 report from a 3rd party accuses the DSL-2680 hardware revision Ax using firmware vEU1.03 of multiple security vulnerabilities . The DSL-2680 has reached it's End-of-Support Date in 2013.

 

This product was never sold in the US.  Other regions worldwide may have specific recommendations on how to proceed using this product or work-arounds that may help minimize your risk should you still choose to use this model. Please make sure you read and understand the End-Of-Support conditions stated below.

 

Thrid Party Report:

 

Davide Pataracchia :: davide _dot_ pataracchia _at_ protonmail _dot_ com

 

     - CVE-2019-19222 :: LINK:  Authenticated commend injection vulnerability in device's web configuration interface.

     - CVE-2019-19223 :: LINK : Unauthenticated Broken Access Control vulnerability to reboot in device's web configuration interface.

     - CVE-2019-19224 :: LINK : Unauthenticated Broken Access Control vulnerability to download the device's configuration.

     - CVE-2019-19225 :: LINK : Unauthenticated Broken Access Control vulnerability to change the device's DNS settings.

     - CVE-2019-19226 :: LINK : Unauthenticated Broken Access Control vulnerability to change the device's MAC Address Filterning setting.

 

Recommendation for End of Service Life Products

 

While D-Link is aware of the alleged vulnerabilities involving the DSL-2680. The product has reached End of Life(EoL)/End of Support(EoS) and there is no longer support or development for them. For US products only, which this does not qualify, once a product is past EoL/EoS date, which states on it's product support page or has been transferred to https://legacy.us.dlink.com/,

 

D-Link will be unable to resolve Device or Firmware issues since all development and customer support has ceased.


From time to time, D-Link will decide that certain of its products have reached EoL. D-Link may choose to EoL a product for many reasons, including shift in market demands, technology innovation, costs or efficiencies based on new technologies, or the product simply matures over time and is replaced by functionally superior technology.

 

Once a product is identified as EoL, D-Link will provide the dates for which the support and service for that product will no longer be available.

 

For US consumers, D-Link recommends this product be retired, any further use maybe a risk to devices connected to it and end-users connected to it. If US consumers, continue to use the product against D-Link's recommendation, please make sure the device has the most recent firmware. installed, make sure you frequently update the device's unique password to access it's web-configuration, and always have WiFI encryption enabled with a unique password.