Overview
On February 9, 2019, a report from a security researcher accused the DAP-1520 Rev. Ax FW 1.10B04 / DAP-1522 Rev. Ax FW 1.42 / DIR-816L Rev. Bx FW 2.06.B09 of potentially having multiple security vulnerabilities.
DAP-1520 (EOS: 03/08/2019) / DAP-1522 (EOS: 07/01/2016) / DIR-816L (EOS: 03/01/2016) have reached its End-of-Support ("EOS") / End-of-Life ("EOL") Date. As a general policy, when the product reaches EOS/EOL, it can no longer be supported, and all firmware development for the product ceases, except in certain unique situations. In this particular case for DAP-1520, D-Link was able to provide a Beta Patch Release after the EOS/EOL Date. Please see information and recommendations below.
As a part of our standard process, we accept reports from 3rd parties and then confirm the report across the family of products that could be affected by software or hardware design similarities that are or were shipped under the D-Link brand globally.
Third-Party Report
Ace Team :: Loginsoft :: researchteam _at_ loginsoft _dot_ com
CVE-2020-15892 :: Link :: DAP 1520 :: Buffer overflow in the `ssi` binary, leading to arbitrary command execution.
CVE-2020-15893 :: Link :: DIR-816L :: Command injection vulnerability in the UPnP via a crafted M-SEARCH packet
CVE-2020-15894 :: Link :: DIR-816L :: Exposed administration function, allowing unauthorized access to the few sensitive information.
CVE-2020-15895 :: Link :: DIR-816L :: Reflected XSS vulnerability due to an unescaped value on the device configuration
webpage.
CVE-2020-15896 :: Link :: DAP-1522 :: Exposed administration function, allowing unauthorized access to the few sensitive information.
Affected products
| Model |
Hardware Revision |
Affected FW |
Fixed FW |
Recommendation |
Last Updated |
| DAP-1520 |
All Ax Hardware Revisions |
v1.10B04 & Below
|
Patch Fix Disqualified |
EOS Retaire & Replace |
09/24/2020 |
| DAP-1522 |
All Ax Hardware Revisions |
v1.42 & Below |
Not Available |
EOS Retaire & Replace |
07/21/2020 |
| DIR-816L |
All Bx Hardware Revisions |
v12.06.B09 & Below |
Not Available |
EOS Retaire & Replace |
07/21/2020 |
Recommendation for End of Support Life Products
From time to time, D-Link will decide that some of its products have reached End of Support ("EOS") / End of Life (“EOL”). D-Link may choose to EOS/EOL a product due to evolution of technology, market demands, new innovations, product efficiencies based on new technologies, or the product matures over time and should be replaced by functionally superior technology.
For US Consumer
If a product has reached End of Support ("EOS") / End of Life ("EOL"), there is normally no further extended support or development for it. Once a product reaches its EOL/EOS date, it is transferred to https://legacy.us.dlink.com/
Typically for these products, D-Link will be unable to resolve device or firmware issues since all development and customer support has ceased.
This DAP-1520 is an exceptional circumstance in which D-Link is able to provide a Beta Patch Release. However, D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it. If US consumers continue to use the DAP-1520 against D-Link's recommendation, please make sure the device has the most recent firmware from https://legacy.us.dlink.com/ installed, make sure you frequently update the device's unique password to access its web-configuration, and always have WIFI encryption enabled with a unique password.