Support Announcements
DIR-X1560 : Rev Ax : FW v1.04B04 / (non-US) DIR-X6060 : Rev Ax : FW v1.11B04 :: Chipset Patches required to mitigate WPA3-SAE & WPA2 attacks

Overview

 

On June 14, 2021, a 3rd party researcher accused the DIR-X1560 and DIR-X6060 of being affected by a series of WiFi security vulnerabilities the researcher would be disclosing.  D-Link investigated and found the vulnerabilites reported confirmed.  In order to correct these issue, D-Link was required to go the devices' chipset vendor for corrections  in the chipset vendor's software development kit that is deployed in  the devices firmware.


Below you will find patches for the two model's that close the reported vulnerabilities.

 

3rd Party Report information

    Reports provided: 

 

      - Efstratios Chatzoglou :: University of the Aegean :: efchatzoglou _at_ gmail _dot_ com

  

     - Georgios Kambourakis :: European Commission at the European Joint Research Centre

 

     - Constantinos Kolias :: University of Idaho

 

     Public Disclosed 3rd Party Report :: (Link to be updated) Series of 8 security issues affecting implementations of WPA3-SAE & WPA2 across various chipset and vendors in the WIFI industry.

 

     Exploit 1: An attacker needs to send a SAE Commit frame to the AP, by using as a source MAC address the one of an already connected STA.  Using only this one frame, the targeted STA was disconnect with a state of no internet access.

 

     Exploit 2: The authentication algorithm in authentication commit frame. By constructing a frame, values between 1 and 65535, but 3 of authentication algorithm field (algo), can lead into disconnecting the device's MAC address that it is containing in the addr2 field, after 100-200 of such frames.

 

     Exploit 3: The status code in authentication confirm frame. if the value of seqnum = 1 is referring to an authentication commit frame, while the value of seqnum = 2 is referring to an authentication confirm frame. A status code values between 1 and 65535, can cause a disconnection.

 

     Exploit 4: The send confirm field. send = '\x11\x11', confirm = 'valid_confirm', frame = Auth/send/confirm. The latter frame is constructed to be an authentication confirm one. When the send value is between 2 and 65534, the attack can disconnect a device. As you can see, I changed the default value of send field from \x00\x00, to \x11\x11.

 

     Exploit 5:The empty frame of authentication confirm. By sending such a frame to the access point, which does not contain a value of send confirm and confirm, the latter disconnects the targeted device.

 

     Exploit 6: An attacker can disconnect a multiple number of already connected STAs of a 5GHz channel or in the worst case cause them to be in a no internet state, at both APs at the same time. This issue can be exploited independently of the authentication method, WPA2 or WPA3.

 

      Exploit 7: When that AP is operating in WPA2 responds with an Open Auth frame with a status code ``Success'' (0) upon receiving a SAE Commit. While, it must instead respond with a reject message indicating a status code 13. To exploit this first target the AP that operates with WPA2 and PMF in capable/required mode, by using the provided code for approximately 600 bursts or approximately 3 min. After this phase, where the AP's memory is probably filled up with bad sessions. As a result, an attacker can circle between the STAs, and disconnect all of them.
 

      Exploit 8: Duplicate MAC address issue. Regarding the WPA3-SAE, an authenticated attacker could connect to an AP by using the same MAC address of an already connected STA. This leads the AP into deleting the SA with the legitimate STA, causing a no-internet access to the latter.

 

Affected Models

 

Model Hardware Revision  Region Affected FW Fixed FW Recommendation  Last Updated
DIR-X1560 All A Hardware Revisions US v1.04B04 & Below v1.04B04 Hotfix

Download Hotfix and manually update router

08/24/2021
DIR-X6060 All A Hardware Revisions Worldwide v1.11B04 & Below v1.02B01 Hotfix Download Hotfix and manually update router 08/24/2021

  

Regarding Security patch for your D-Link Devices
 
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
Please note that this is a device beta software, beta firmware, or hot-fix release which is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an “as is” and “as available” basis and the user assumes all risk and liability for use thereof. D-Link does not provide any warranties, whether express or implied, as to the suitability or usability of the beta firmware. D-Link will not be liable for any loss, whether such loss is direct, indirect, special or consequential, suffered by any party as a result of their use of the beta firmware.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.