Support Announcements
DIR-865L :: Rev. Ax :: End of Service Product :: Multiple Vulnerabilities

Overview

 

 

On February 28, 2020, a report from a security researcher at Palo Alto Networks accused the DIR-865L hardware Ax with 1.20B01 Beta released on August 9, 2018, of multiple security vulnerabilities.

 

For US consumers, DIR-865L has reached its End-of-Support Date on 02/01/2016, it is no longer supported, and firmware development has ceased, please see recommendations below. 

 

 

As a part of our standard process, we accept reports from 3rd parties and then confirm the report across the family of products that could be affected by software or hardware design similarities that ship under the D-Link brand globally.

 

Third-Party Report

 

      Gregory Basior:: Palo Alto Networks:: Gasior _at_ Palo alto networks _dot_ com 

      Davila Loranca:: Palo Alto Networks:: adavilaloran _at_ Palo alto networks _dot_ com  

     Jun Du:: Palo Alto Networks:: judu _at_ Palo alto networks _dot_ com   

   

     CVE-ID::

            CVE-2020-13785  D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.

            CVE-2020-13782  D-Link DIR-865L Ax 1.20B01 Beta devices allow Command Injection.

            CVE-2020-13784  D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number

            CVE-2020-13783  D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.

            CVE-2020-13786  D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.

            CVE-2020-13787  D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Transmission of Sensitive Informatio…


 

           1. CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection)             

           2. CWE-352: Cross-Site Request Forgery (CSRF)                        

           3. CWE-326: Inadequate Encryption Strength       

           4. CWE-337: Predictable seed in Pseudo-Random Number Generator      

           5. CWE-312: Cleartext Storage of Sensitive Information                 

           6. CWE-319: Cleartext Transmission of Sensitive Information

 

 

Beta Patch Release 

  

 

Released: v1.20B01Beta01 05-26-2020 :: LINK

 

D-Link recommends the following information for End Of Service Life Products: Retire and Replace product for an actively supported product.


 

Owners of the DIR-865L who use this product beyond EOS, at their own risk, should manually update to the latest firmware. These beta releases are a result of investigating and understanding the report and out complete investigation of the entire family of products that may be affected. Firmware released after EOS is a standard operating procedure,

 

Fixes Only

 

  2. CWE-352: Cross-Site Request Forgery (CSRF) 

 

  3. CWE-326: Inadequate Encryption Strength 

 

  5. CWE-312: Cleartext Storage of Sensitive Information 

 

 

 

Recommendation for End of Service Life Products

 

For US Consumer

While D-Link is aware of the alleged vulnerabilities involving the DIR-865L. The product has reached End of Life(EoL)/End of Support(EoS), and there is no more extended support or development for them. Once a product is past EoL/EoS date, which states on its product support page or has been transferred to https://legacy.us.dlink.com/,

 

 D-Link will be unable to resolve Device or Firmware issues since all development and customer support has ceased. 

 

 

From time to time, D-Link will decide that sure of its products have reached EOL. D-Link may choose to EoL a product for many reasons, including the shift in market demands, technology innovation, costs or efficiencies based on new technologies, or the product matures over time and is replaced by functionally superior technology.

 

Once a product is identified as EoL, D-Link will provide the dates for which the support and service for that product will no longer be available.

 

For US consumers, D-Link recommends this product be retired, and any further use may be a risk to devices connected to it and end-users connected to it. If US consumers continue to use the product against D-Link's recommendation, please make sure the device has the most recent firmware from https://legacy.us.dlink.com/, installed, make sure you frequently update the device's unique password to access its web-configuration and always have WiFI encryption enabled with a unique password.