Overview
On December 8, 2020, Forescout Research Labs released a public disclosure known as AMNESIA:33. AMNESIA:33 is a set of 33 vulnerabilities that impact four open source TCP/IP stacks (uIP, FNET, picoTCP and Nut/Net), which collectively serve as the foundational components of millions of connected devices worldwide. These vulnerabilities primarily cause memory corruption, allowing attackers to compromise devices, execute malicious code, perform denial-of-service attacks and steal sensitive information.
D-Link is investigated these disclosed security issues and if any D-Link Brand products utilize these vulnerable libraries.
AMNESIA:33 affects four open source TCP/IP stacks (uIP, FNET, picoTCP and Nut/Net) that could impact millions of connected devices worldwide. D-Link’s DIR-505 router was reported to be affected, since it uses a u-boot v1.114 web server based on uIP; However, DIR-505 reached End of Life/End of Service January 31, 2018. (D-Link Legacy Information). Once a product has reached its EoL/EoS date, D-Link is unable to provide support or development for this product and therefore unable to resolve newly discovered vulnerability concerns.
The u-boot web server is only utilized when device recovery mode is enabled for emergency purposes. (Under normal circumstances, recovery mode is disabled) Therefore, D-Link has confirmed that the vulnerabilities do not affect any other D-Link products. D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. Please check the D-Link website for updates regularly.
Report
Get up-to-date information about impacted vendors and devices from CERT coordination agencies. Refer to the latest security advisories about AMENSIA:33 vulnerabilities.
D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. Please check the D-Link website for updates regularly.
Details / Response
Product Categories
|
Affected Models |
Recommendation |
Updated |
| DIR-505 |
All Hardware Revisions |
Retire & Replace End of Service Life Products |
12/17/2020 |
Recommendation for End of Support Life Products
From time to time, D-Link will decide that some of its products have reached End of Support ("EOS") / End of Life (“EOL”). D-Link may choose to EOS/EOL a product due to evolution of technology, market demands, new innovations, product efficiencies based on new technologies, or the product matures over time and should be replaced by functionally superior technology.
For US Consumer
If a product has reached End of Support ("EOS") / End of Life ("EOL"), there is normally no further extended support or development for it. Once a product reaches its EOL/EOS date, it is transferred to https://legacy.us.dlink.com/
Typically for these products, D-Link will be unable to resolve device or firmware issues since all development and customer support has ceased.
This DIR-505 is an exceptional circumstance in which D-Link is able to provide a Beta Patch Release. However, D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it. If US consumers continue to use the DIR-856L against D-Link's recommendation, please make sure the device has the most recent firmware from https://legacy.us.dlink.com/ installed, make sure you frequently update the device's unique password to access its web-configuration, and always have WIFI encryption enabled with a unique password.