Support Announcements
DSL-2640B :: Rev. Bx :: FW vEU_4.01B :: Multiple Security Vulnerailbilities

 

Overview

 

On February 6, 2020, a 3rd party report accused the DSL-2640B hardware Bx with EU_4.01B of multiple security vulnerabilities. The CVE security reports were publicly disclosed on April 17, 2020.

 

For US consumers, DSL-2640B has reached its End-of-Support Date on 5/5/2013, it is no longer supported, and firmware development has ceased, please see recommendations below.

 

 

This report upon firmware supported in the Europe Region, and we suggest contacting your regional D-Link office if you own the product and have questions.

 

D-Link is aware of the issues and is investigating, please check here frequently for updates.

 

Third-Party Report:

 

Cristofaro Mune :: c.mune _at_ pulse-sec _dot_ com 

 

         - CVE-2020-9275: A cfm UDP service listening on port 65002 allows remote, unauthenticated exfiltration of administrative credentials.

          - CVE-2020-9276The function do_cgi(), which processes cgi requests supplied to the device's web servers, is vulnerable to a remotely exploitable stack-based buffer overflow. Unauthenticated exploitation is possible by combining this vulnerability with CVE-2020-9277

          - CVE-2020-9277: Authentication can be bypassed when accessing cgi modules. 

          - CVE-2020-9278The device can be reset to its default configuration by accessing an unauthenticated URL. 

          - CVE-2020-9279: A hard-coded account allows management-interface to login with high privileges. 

  

 

 

Recommendation for End of Service Life Products

 

For US Consumer

While D-Link is aware of the alleged vulnerabilities involving the DSL-2640B. The product has reached End of Life(EoL)/End of Support(EoS), and there is no more extended support or development for them. Once a product is past EoL/EoS date, which states on its product support page or has been transferred to https://legacy.us.dlink.com/,

 

 D-Link will be unable to resolve Device or Firmware issues since all development and customer support has ceased. 

 

 

From time to time, D-Link will decide that sure of its products have reached EOL. D-Link may choose to EoL a product for many reasons, including the shift in market demands, technology innovation, costs or efficiencies based on new technologies, or the product matures over time and is replaced by functionally superior technology.

 

Once a product is identified as EoL, D-Link will provide the dates for which the support and service for that product will no longer be available.

 

For US consumers, D-Link recommends this product be retired, and any further use may be a risk to devices connected to it and end-users connected to it. If US consumers continue to use the product against D-Link's recommendation, please make sure the device has the most recent firmware from https://legacy.us.dlink.com/, installed. Make sure you frequently update the device's unique password to access its web-configuration and always have WiFI encryption enabled with a unique password.