D-Link Technical Support

Home Support Forums Security Advisories Shop English | French

Support Announcement

OpenSSL Security Vulnerability - aka. "Heartbleed Bug" - CVE-2014-0160 - Security Incident Response for D-Link Devices and Services

Overview

On April 7, 2014, CVE-2014-0160 at Mitre was published (also know as the "Heartbleed Bug") describing a security vulnerability with the OpenSSL software library. SSL/TLS communication over the internet is the most common form of encryption to protect critical data between device to device, device to user, and device to service. SSL/TLS communication is most commonly recognized when using a web browser and a secure web site/address is accessed with https://...

Quoted from the "Heartbleed Bug" site:

"This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)."

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

D-Link is investigating all devices and systems that utilize the OpenSSL software library to determine if our devices and customers are affected by this security vulnerability. You will find current status below and can contact us at security@dlink.com about specific questions.

D-Link Security Incident Reponse Policy

All public communication on this issue will be offered at http://securityadvisories.dlink.com/security/

Our security response team can be contacted for incident information or to report incidents at security@dlink.com

Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.

Reference

Heartbleed Site - Link - Many references and details regarding this issue

Mitre - CVE-2014-0160 - Link

OpenSSL - Post - Link

General Disclosure

Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed. We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link product.

Immediate Recommendations for all D-Link customers

Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet. Remote Management is default disabled on all D-Link Routers and is included for customer care troubleshooting if useful and the customer enables it.

If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.

Make sure that your wireless network is secure.

Do not provide your admin password to anyone. If required we suggest updating the password frequently.

Description

We encourage users to read the links provided in the References section so we do not misinterpret, misuse, or create duplicate effort to reporting security issues.

From OpenSSL:

      TLS heartbeat read overrun (CVE-2014-0160):

      Any device that deployed OpenSSL version 1.0.1 and 1.0.2-beta are affected, this includes 1.0.1f and 1.0.2-beta1.

      A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Affected Products and Services

General guidelines to check for all devices that may be infected

OpenSSL
•    Affected Version：1.0.1 ~ 1.0.1f / 1.0.2-beta
•    Version Name to fix：1.0.1g / 1.0.2-beta1
•    Affected Linux Distribution

o    Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
o    Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
o    CentOS 6.5, OpenSSL 1.0.1e-15
o    Fedora 18, OpenSSL 1.0.1e-4
o    OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
o    FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
o    NetBSD 5.0.2 (OpenSSL 1.0.1e)
o    OpenSUSE 12.2 (OpenSSL 1.0.1c)

mydlink device cloud services

- mydlink cloud service and mydlink web-portal is not affected by this security vulnerability

- some mydlink devices are affected and we are preparing a list and schedule of fixes that will be updated below

D-Link Devices

Consumer Wired/Wireless Routers

Note: Each product that utilizes the OpenSSL software library is listed below with status.