Support Announcements
DAP-1330 :: H/W Rev. Ax :: F/W v1.13B01 BETA :: Multiple Buffer Overflow (RCE) Vulnerabilities

Overview

On January 29, 2021, 3rd party security researcher team, Trend Micro's Zero Day Initiative (ZDI), submitted four (4) reports accusing the DAP-1330 Hardware Revision A using hot-fix firmware v1.13B01 BETA  of four (4) unique buffer overflow remote code execution vulnerabilities that may lead to the device malfunctioning.  Thiese vulnerabilitties were assigned ZDI-CAN-12028, ZDI-CAN-12020, ZDI-CAN-12065, and ZDI-CAN-12066 from Trend Micro.  These vulnerability reports were confirmed and a patch is under development (as of 06/10).  Please find the lastest information in table below.

 

The DAP-1330 is a LAN-Side device only, under it's intended use it does not offer an security attack vector from the internet.  If the device was installed as recommended out-of-the-box, a malicious user would need to compromise the devices WiFi security or have physical access to the device.  Being a LAN-Side only device and it's reduced attack surface that risks to these vulnerabilities are reduced but will be patched in a firmware that is under developm


3rd Party Report information

 

          - Report providedTrend Micro's Zero Day Initiative (ZDI) :: zdi-disclosures _at_ trendmicro _dot_ com

 
          - Reference : (Language directly from ZDI Report) CVE-id will be posted once publically available

 

 - ZDI-CAN-12028: D-Link DAP-1330 HNAP Cookie Header Stack-based Buffer Overflow Remote Code Execution Vulnerability

      - Stack buffer overflow in `libhnap.so` due to the use of strcpy in `splite_cookie()` when processing the `uid` portion of attacker-controlled   HTTP request cookie



- ZDI-CAN-12029: D-Link DAP-1330 HNAP checkValidRequest Stack-based Buffer Overflow Remote Code Execution Vulnerability

      - The vulnerability is located in `checkValidRequest()` of `libhnap.so`. The vulnerability is caused by the use of `sprinf()` to copy attacker-controlled buffer into a 80-byte stack buffer.

 


 - ZDI-CAN-12065: D-Link DAP-1330 lighttpd http_parse_request Buffer Overflow Remote Code Execution Vulnerability

     - The vulnerability is located in `http_parse_request()` of the `lighttpd` web server. `strcpy()` is used to copy attacker-controlled data into a 50-byte global buffer when processing HNAP_AUTH header.

 

 

 - ZDI-CAN-12066: D-Link DAP-1330 lighttpd get_soap_action Buffer Overflow Remote Code Execution Vulnerability

     - The vulnerability is located in `http_parse_request()` of the `lighttpd` web server. `strcpy()` is used to copy attacker-controlled data into a 50-byte global buffer when processing HNAP_AUTH header.

 

 Affected Models

 

Model Hardware Revision Affected FW Fixed FW Recommendation  Last Updated
DAP-1330 All Ax Hardware Revisions v1.13B01 BETA (hotfix) & Below  Under Development Estimated Release July. 2021 06/10/2021

  

Regarding Security patch for your D-Link Devices
 
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
Please note that this is a device beta software, beta firmware, or hot-fix release which is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an “as is” and “as available” basis and the user assumes all risk and liability for use thereof. D-Link does not provide any warranties, whether express or implied, as to the suitability or usability of the beta firmware. D-Link will not be liable for any loss, whether such loss is direct, indirect, special or consequential, suffered by any party as a result of their use of the beta firmware.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.