Support Announcements
DSP-W215 :: Rev. Ax :: FW 1.26B03 :: CVE-2020-13135 :: Information disclosure and weak hash handling

 

Overview 

 

On April 30, 2020, a 3rd party report accuses the DSP-W215 hardware Ax with firmware 1.26b03 of information Disclosure by intercepting messages on the local network using Squid Proxy. A Hash protects the Information. However, the hash was also discovered through monitoring the traffic and knowledge of hashing information.

 

For US consumers, DSP-W215 Rev. Ax has reached its End-of-Support Date on 12/29/2019, it is no longer supported, and firmware development has ceased, please see recommendations below.

 

 

For regions outside the US, we suggest contacting your regional D-Link office if you own the product and have a question.

 

Thrid Party Report:

 

           - Leopoldo Aguirre CISSP, GPEN, GMOB :: leopoldoagr _at_  gmail  _dot_  com

 

           - Links to Reports: 

                  CVE-2020-13135 :: LINK

                  CVE-2020-13136 :: LINK

 

Recommendation for End of Service Life Products

 

For US Consumer

 

While D-Link is aware of the alleged vulnerabilities involving the DSP-W215 Rev Ax. The product has reached End of Life(EoL)/End of Support(EoS), and there is no more extended support or development for them. Once a product is past EoL/EoS date, which states on its product support page or has been transferred to https://legacy.us.dlink.com/,

 

D-Link will be unable to resolve Device or Firmware issues since all development and customer support has ceased. 

 

From time to time, D-Link will decide that sure of its products have reached EOL. D-Link may choose to EoL a product for many reasons, including the shift in market demands, technology innovation, costs, or efficiencies based on new technologies. The product matures over time and is replaced by functionally superior technology.

 

Once a product is identified as EoL, D-Link will provide the dates for which the support and service for that product will no longer be available.

 

For US consumers, D-Link recommends this product be retired, and any further use may be a risk to devices connected to it and end-users connected to it. If US consumers continue to use the product against D-Link's recommendation, please make sure the device has the most recent firmware from https://legacy.us.dlink.com/, installed. Make sure you frequently update the device's unique password to access its web-configuration and always have WiFI encryption enabled with a unique password.