Overview

On June 14, 2021, a 3rd party researcher accused the DIR-X1560 and DIR-X6060 of being affected by a series of WiFi security vulnerabilities the researcher would be disclosing.  D-Link investigated and found the vulnerabilites reported confirmed.  In order to correct these issue, D-Link was required to go the devices' chipset vendor for corrections  in the chipset vendor's software development kit that is deployed in  the devices firmware.

Below you will find patches for the two model's that close the reported vulnerabilities.

3rd Party Report information

    Reports provided: 

      - Efstratios Chatzoglou :: University of the Aegean :: efchatzoglou _at_ gmail _dot_ com

     - Georgios Kambourakis :: European Commission at the European Joint Research Centre

     - Constantinos Kolias :: University of Idaho

     Public Disclosed 3rd Party Report ::

       - https://www.sciencedirect.com/science/article/pii/S221421262100243X

       - https://icsdweb.aegean.gr/awid/dos-attacks-on-wpa3-sae

       - CVE-2021-41753 :: LINK :: Series of 8 security issues affecting implementations of WPA3-SAE & WPA2 across various chipset and vendors in the WIFI industry.

     Exploit 1: An attacker needs to send a SAE Commit frame to the AP, by using as a source MAC address the one of an already connected STA.  Using only this one frame, the targeted STA was disconnect with a state of no internet access.

     Exploit 2: The authentication algorithm in authentication commit frame. By constructing a frame, values between 1 and 65535, but 3 of authentication algorithm field (algo), can lead into disconnecting the device's MAC address that it is containing in the addr2 field, after 100-200 of such frames.

     Exploit 3: The status code in authentication confirm frame. if the value of seqnum = 1 is referring to an authentication commit frame, while the value of seqnum = 2 is referring to an authentication confirm frame. A status code values between 1 and 65535, can cause a disconnection.

     Exploit 4: The send confirm field. send = '\x11\x11', confirm = 'valid_confirm', frame = Auth/send/confirm. The latter frame is constructed to be an authentication confirm one. When the send value is between 2 and 65534, the attack can disconnect a device. As you can see, I changed the default value of send field from \x00\x00, to \x11\x11.

     Exploit 5:The empty frame of authentication confirm. By sending such a frame to the access point, which does not contain a value of send confirm and confirm, the latter disconnects the targeted device.

     Exploit 6: An attacker can disconnect a multiple number of already connected STAs of a 5GHz channel or in the worst case cause them to be in a no internet state, at both APs at the same time. This issue can be exploited independently of the authentication method, WPA2 or WPA3.

      Exploit 7: When that AP is operating in WPA2 responds with an Open Auth frame with a status code ``Success'' (0) upon receiving a SAE Commit. While, it must instead respond with a reject message indicating a status code 13. To exploit this first target the AP that operates with WPA2 and PMF in capable/required mode, by using the provided code for approximately 600 bursts or approximately 3 min. After this phase, where the AP's memory is probably filled up with bad sessions. As a result, an attacker can circle between the STAs, and disconnect all of them.
 

      Exploit 8: Duplicate MAC address issue. Regarding the WPA3-SAE, an authenticated attacker could connect to an AP by using the same MAC address of an already connected STA. This leads the AP into deleting the SA with the legitimate STA, causing a no-internet access to the latter.

Affected Models