Overview
On August 16, 2021, D-Link became aware of the public disclosure from IoT Inspector of multiple security vulnerabilities in the Realtek Chipset RTL8xxx software development kit (SDK).
Realtek chipsets are found in many embedded devices in the IoT space. RTL8xxx SoCs – which provide wireless capabilities – are very common. We therefore decided to spend time identifying binaries running on the RTL819xD on our target device, which expose services over the network and are provided by Realtek themselves. Such binaries are packaged as part of the Realtek SDK, which is developed by Realtek and provided to vendors and manufacturers who use the RTL8xxx SoCs.
D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.
D-Link is investigating these reported security issues and if any D-Link Brand WiFi products are affected by these vulnerable. The latest information regarding this security vulnerability is below. D-Link recommends checking back regularly and keep your device(s) up to date.
Report
- Realtek Vulnerability Report: Link to Post
- IoT Inspector: Link to Post
- HelpNetSecurity
- Tech Radar
- Duo.com
Details
Affected Versions
rtl819x-SDK-v3.2.x Series
rtl819x-SDK-v3.4.x Series
rtl819x-SDK-v3.4T Series
rtl819x-SDK-v3.4T-CT Series
rtl819x-eCos-v1.5.x Series
CVE ID
CVE-2021-35392 (‘WiFi Simple Config’ stack buffer overflow via UPnP)
CVE-2021-35393 (‘WiFi Simple Config’ heap buffer overflow via SSDP)
CVE-2021-35394 (MP Daemon diagnostic tool command injection)
CVE-2021-35395 (management web interface multiple vulnerabilities)
Affected Models
Model |
Hardware Revision |
Region |
Fixed FW |
Recommendation |
Last Updated |
DIR-612 |
Z1 |
Non-US |
Not Affected |
Not Affected |
09/24/21 |
DIR-825 |
J1 |
Non-US |
Not Affected v1.01
|
Not Affected |
09/24/21 |
DIR-612 |
X1 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
DIR-615 |
T2 |
Non-US |
v20210930 |
CVE-2021-35394/95: No impact
CVE-2021-35392/93: Download & Update device
|
10/17/21 |
DIR-615 |
X1 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
DIR-615+ |
A1 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
DIR-822 |
E1 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
DIR-825 |
I1 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
DIR-615 |
Z1 |
Non-US |
v1.0.2_WW_Hotfix |
Download & Update device |
09/24/21 |
DIR-842 |
F1 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
DIR-842V2 |
A1 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
COVR-1100 |
A1 |
Non-US |
Under Investigation |
Prending |
09/17/21 |
DIR-825 |
R5 |
Non-US |
Not Affected |
Not Affected |
09/24/21 |
DIR-842 |
R5 |
Non-US |
Not Affected |
Not Affected |
09/24/21 |
DIR-842 |
S2 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
DIR-815 |
R1 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
DIR-822 |
R1 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
DIR-841 |
A1 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
DIR-842 |
R1 |
Non-US |
EOL |
EOL/EOS |
09/17/21 |
DIR-825 |
R1 |
Non-US |
EOL |
EOL/EOS |
09/17/21 |
DIR-815 |
R4 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
DIR-822 |
R4 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
DIR-842 |
R4 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
DIR-825 |
R4 |
Non-US |
Q4 2021 |
Pending Release |
09/17/21 |
DSL-124 |
R1 |
Non-US |
v1.00_ME_Hotfix2 |
Download and Update Device |
10/17/21 |
DSL-224 |
R1 |
Non-US (ME Region) |
vME_1.10 |
Download and Update Device |
10/17/21 |
DSL-224 |
S1 |
Non-US (EMC Region) |
vEMC_1.01 |
Download and Update Device |
10/17/21 |
DIR-815 |
D1 |
Non-US |
v4.11WWB01 |
Download and Update Device |
09/24/21 |
DIR-825 |
G1 |
Non-US |
v7.12B01 |
Download and Update Device |
09/24/21 |
DIR-825+ |
A1 |
Non-US |
v1.04WWb02 |
Download & Update device |
09/24/21 |
DAP-1610 |
B1 |
Non-US |
v202B02_Hotfix |
Download & Update device |
10/17/21 |
DAP-1530 |
B1 |
Non-US |
v2.02B02_Hotfix |
Download & Update device |
10/17/21 |
DSL-2740U |
R1 |
Non-US |
Q4 2021 |
Pending Release |
09/24/21 |
DSL-2750U |
R1 |
Non-US |
Q4 2021 |
Pending Release |
09/24/21 |
DSL-2640U |
R1 |
Non-US |
Q4 2021 |
Pending Release |
09/24/21 |
DSL-G2452GR |
R1 |
Non-US |
Q4 2021 |
Pending Release |
09/24/21 |
DSL-245GR |
R1 |
Non-US |
Q4 2021 |
Pending Release |
09/24/21 |
DVG-5402G |
R1 |
Non-US |
Q4 2021 |
Pending Release |
09/24/21 |
DSL-224/R1A |
R1 |
Non-US |
Q4 2021 |
Pending Release |
09/24/21 |
DSL-224/019/R1A |
R1 |
Non-US |
Q4 2021 |
Pending Release |
09/24/21 |
DHP-W610AV |
B1 |
Non-US |
v2.02B13_Beta01 |
Download & Update device |
10/17/21 |
Regarding Security patch for your D-Link Devices
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
Please note that this is a device beta software, beta firmware, or hot-fix release which is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an “as is” and “as available” basis and the user assumes all risk and liability for use thereof. D-Link does not provide any warranties, whether express or implied, as to the suitability or usability of the beta firmware. D-Link will not be liable for any loss, whether such loss is direct, indirect, special or consequential, suffered by any party as a result of their use of the beta firmware.
If a product has reached End of Support ("EOS") / End of Life ("EOL"), there is normally no further extended support or development for it. Typically for these products, D-Link will be unable to resolve device or firmware issues since all development and customer support has ceased. D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it. If US consumers continue to use these devices against D-Link's recommendation, please make sure the device has the most recent firmware, make sure you frequently update the device's unique password to access its web-configuration, and always have WIFI encryption enabled with a unique password.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.