Overview
On April 7, 2014, CVE-2014-0160 at Mitre was published (also know as the "Heartbleed Bug") describing a security vulnerability with the OpenSSL software library. SSL/TLS communication over the internet is the most common form of encryption to protect critical data between device to device, device to user, and device to service. SSL/TLS communication is most commonly recognized when using a web browser and a secure web site/address is accessed with https://...
Quoted from the "Heartbleed Bug" site:
"This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)."
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."
D-Link is investigating all devices and systems that utilize the OpenSSL software library to determine if our devices and customers are affected by this security vulnerability. You will find current status below and can contact us at security@dlink.com about specific questions.
D-Link Security Incident Reponse Policy
All public communication on this issue will be offered at http://securityadvisories.dlink.com/security/
Our security response team can be contacted for incident information or to report incidents at security@dlink.com
Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.
Reference
Heartbleed Site - Link - Many references and details regarding this issue
Mitre - CVE-2014-0160 - Link
OpenSSL - Post - Link
General Disclosure
Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed. We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link product.
Immediate Recommendations for all D-Link customers
- Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet. Remote Management is default disabled on all D-Link Routers and is included for customer care troubleshooting if useful and the customer enables it.
- If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
- Make sure that your wireless network is secure.
- Do not provide your admin password to anyone. If required we suggest updating the password frequently.
Description
We encourage users to read the links provided in the References section so we do not misinterpret, misuse, or create duplicate effort to reporting security issues.
From OpenSSL:
TLS heartbeat read overrun (CVE-2014-0160):
Any device that deployed OpenSSL version 1.0.1 and 1.0.2-beta are affected, this includes 1.0.1f and 1.0.2-beta1.
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
Affected Products and Services
General guidelines to check for all devices that may be infected
OpenSSL
• Affected Version:1.0.1 ~ 1.0.1f / 1.0.2-beta
• Version Name to fix:1.0.1g / 1.0.2-beta1
• Affected Linux Distribution
o Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
o Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
o CentOS 6.5, OpenSSL 1.0.1e-15
o Fedora 18, OpenSSL 1.0.1e-4
o OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
o FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
o NetBSD 5.0.2 (OpenSSL 1.0.1e)
o OpenSUSE 12.2 (OpenSSL 1.0.1c)
mydlink device cloud services
- mydlink cloud service and mydlink web-portal is not affected by this security vulnerability
- some mydlink devices are affected and we are preparing a list and schedule of fixes that will be updated below
D-Link Devices
Consumer Wired/Wireless Routers
Note: Each product that utilizes the OpenSSL software library is listed below with status.
If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
DIR-505 & DIR-505L |
A1/A2 |
All Firmware |
Not Affected |
DIR-508L |
A1 |
All Firmware |
Not Affected |
DIR-510L |
A1 |
All Firmware |
Not Affected |
DIR-518L |
A1 |
All Firmware |
Not Affected |
DIR-600L
|
A1/B1
|
All Firmware
|
Not Affected |
DIR-605L |
A1/B1 |
All Firmware |
Not Affected |
DIR-619L |
A1/B1 |
All Firmware |
Not Affected |
DIR-636L |
A1 |
All Firmware |
Not Affected |
DIR-900L |
A1 |
All Firmware
|
Not Affected |
DIR-905L |
A1/B1 |
All Firmware |
Not Affected |
DIR-808L |
A1 |
All Firmware |
Not Affected |
DIR-810L |
A1 |
All Firmware |
Not Affected |
DIR-816L |
A1 |
All Firmware |
Not Affected |
DIR-817L |
A1 |
All Firmware |
Not Affected |
DIR-820L |
A1/B1 |
All Firmware |
Not Affected |
DIR-820L-CV1 |
A1 |
All Firmware |
Not Affected |
DIR-820L-CV2 |
A1 |
All Firmware |
Not Affected |
DIR-826L |
A1 |
All Firmware |
Not Affected |
DIR-845L |
A1 |
All Firmware |
Not Affacted |
DIR-850L |
A1 |
All Firmware |
Not Affected |
DIR-855L |
A1 |
All Firmware |
Not Affected |
DIR-860L |
A1 |
All Firmware |
Not Affected |
DIR-865L |
A1 |
All Firmware |
Not Affected |
DIR-868L |
A1 |
All Firmware |
Not Affected |
DIR-868L-CV |
A1 |
All Firmware |
Not Affected |
DIR-880L |
A1 |
All Firmware |
Not Affected |
DIR-505L |
A1/A2 |
All Firmware |
Not Affected |
VDI-604 |
All Revisions |
All Firmware |
Not Affected |
VDI-624 |
All Revisions |
All Firmware |
Not Affected |
Broadband DSL/Cable/Fiber Wired/Wireless Routers
Note: Each product that utilizes the OpenSSL software library is listed below with status.
If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
DSL-2640R
|
All Revisions
|
All Firmware
|
Not Affected |
DSL-2740R |
All Revisions |
All Firmware |
Not Affected |
DSL-2750B |
All Revisions |
All Firmware |
Not Affected |
DSL-2750-SG |
All Revisions |
All Firmware |
Not Affected |
DSL-2680 |
All Revisions |
All Firmware |
Not Affected |
DSL-2780 |
All Revisions |
All Firmware |
Not Affected |
DSL-3680 |
All Revisions |
All Firmware |
Not Affected |
DSL-3780 |
All Revisions |
All Firmware |
Not Affected |
DSL-3882 |
All Revisions |
All Firmware |
Not Affected |
DSL-6300V |
All Revisions |
All Firmware |
Not Affected |
DCM Broadband Family |
All Revisions |
All Firmware |
Not Affected |
DWR Broadband Family |
All Revisions |
All Firmware |
Not Affected |
DWR-330-SG |
All Revisions |
All Firmware |
Not Affected |
Business VPN/Services Routers
Note: Each product that utilizes the OpenSSL software library is listed below with status.
If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
DSR Service Router Family
|
All Revisions
|
All Firmware
|
Not Affected |
DFL Firewall Family |
All Revisions |
All Firmware |
Not Affected |
Business and Consumer WiFi Access Points/Media Bridges/Extenders/Repeaters
Note: Each product that utilizes the OpenSSL software library is listed below with status.
If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
DAP Access Point Family |
All Revisions |
All Firmware |
Not Affected |
DAP Bridge Family
|
All Revisions
|
All Firmware
|
Not Affected |
DAP Extender/Repeater Family |
All Revisions |
All Firmware |
Not Affected |
DAP Managed Access Point Family |
All Revisions |
All Firmware |
Not Affected |
DWL Unified Access Point |
All Revisions |
All Firmware |
Not Affected |
DWC Unified Wireless Controller Family |
All Revisions |
All Firmware |
Not Affected |
DAP Cloud-Service Access Point Family |
All Revisions |
All Firmware |
Not Affected |
DHP Powerline Family |
All Revisions |
All Firmware |
Not Affected |
DXN HPNA/MOCA Family |
All Revisions |
All Firmware |
Not Affected |
DEM Media Converter Family |
All Revisions |
All Firmware |
Not Affected |
Consumer and Business Wired Switches
Note: Each product that utilizes the OpenSSL software library is listed below with status.
If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
DES Wired Switch Family
|
All Revisions
|
All Firmware
|
Not Affected |
DGS Wired SwitchFamily |
All Revisions |
All Firmware |
Not Affected |
DXS Wired Switch Family |
All Revsions |
All Firmware |
Not Affected |
DWS Unified Wireless Switch Family |
All Revisions |
All Firmware |
Not Affected |
72xx Chassie Switch Family |
All Revisions |
All Firmware |
Not Affected |
Business and Consumer Storage
Note: Each product that utilizes the OpenSSL software library is listed below with status.
If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
DNS-320 |
Ax/Bx |
All Firmware |
Not Affected |
DNS-320L |
All Revisions |
All Firmware |
Not Affected |
DNS-325 |
All Revisions |
All Firmware |
Not Affected |
DNS-327L |
Ax |
1.01 Affected |
Firmware: 1.02
Release Notes
|
DNR-312L |
All Revisions |
All Versions |
Not Affected |
DNR-322L
|
All Revisions
|
All Versions
|
Not Affected |
DNR-326
|
All Revisions |
All Versions |
Not Affected |
DNR-2060-08P |
All Revisions |
All Versions |
Not Affected |
DNS-1200-04 |
All Revisions |
All Versions |
Not Affected |
DNS-1200-06 |
All Revisions |
All Versions |
Not Affected |
DNS-1550-04 |
All Revisions |
All Versions |
Not Affected |
DNS-1100-04 |
All Revisions |
All Versions |
Not Affected |
DNS-1200-05 |
All Revisions |
All Versions |
Not Affected |
Network (IP) Camera (including mydlink consumer cameras)
Note: Each product that utilizes the OpenSSL software library is listed below with status.
If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
DCS-8xxL Family |
All Revisions |
All Versions |
Not Affected |
DCS-9xxL Family
|
All Revisions
|
All Versions
|
Not Affected |
DCS-2xxxL Family |
All Revisions |
All Versions |
Not Affected |
DCS-3xxxL Family |
All Revisions |
All Versions |
Not Affected |
DCS-5xxxL Family |
Most Revisions (exception below) |
Most Versions (exception below)
|
Not Affected (exception below)
|
DCS-6xxxL Family |
All Revisions |
All Versions |
Not Affected |
DCS-7xxxL Family |
All Revisions |
All Versions |
Not Affected |
Specific Exceptions
|
|
|
|
DCS-5615 |
Ax |
1.00 |
Firmware: 1.01
Release Notes
|
Smart/Connected Home Devices
Note: Each product that utilizes the OpenSSL software library is listed below with status.
If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
DCH Extender Family |
All Revisions |
All Versions |
Not Affected |
DSP Smart Plug Family
|
All Revisions
|
All Versions
|
Not Affected |
DSP Smart Sensory Family |
All Revisions |
All Versions |
Not Affected |
Networking Interface Cards (PCIe, USB, PCCard)
Note: Each product that utilizes the OpenSSL software library is listed below with status.
If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
DE/DFE Adapter Family |
All Revisions |
All Versions |
Not Affected |
DGS Adapter Family
|
All Revisions
|
All Versions
|
Not Affected |
DWL/DWA Adapter Family |
All Revisions |
All Versions |
Not Affected |
Print Servers and USB Devices
Note: Each product that utilizes the OpenSSL software library is listed below with status.
If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
DP print server Family |
All Revisions |
|
Not Affected |
DUB USB Device Family
|
All Revisions
|
|
Not Affected |
Multimedia Players Devices
Note: Each product that utilizes the OpenSSL software library is listed below with status.
If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.
Model Name
|
HW Version
|
Current FW Version
|
New FW Version for this exploit fix
|
DSM-380 BoxeeBox |
All Revisions |
|
Not Affected |
DSM-382 BoxeeTV
|
All Revisions
|
|
Not Affected |
DSM-310/312 MovieNight |
All Revisions |
|
Not Affected |
D-Link Software and Services
Note: Each product that utilizes the OpenSSL software library is listed below with status.
If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.
Model Name
|
HW Version
|
New FW Version for this exploit fix
|
mydlink cloud portal and service |
All versions |
Not Affected |
D-View SNMP Mgt. System
|
All versions
|
Not Affected |
D-View Cam System |
All versions |
Not Affected |
D-View VPN Client |
All versions |
Not Affected |
D-Link Cloud Command AP manager |
All versions |
Not Affected |
3rd Party multimedia streams on DSM media player family |
D-Link product Not Affected |
Please consult service website for information. |
3rd Party software support for DNS storage family |
D-Link product Not Affected |
Please consult service website for information. |
3rd Party cloud service for DAP access point family |
D-Link product Not Affected |
Please consult service website for information. |
mobile applications
Model Name
|
Current FW Version
|
New FW Version for this exploit fix
|
mydlink iOS Applications |
All Versions |
Not Affected |
mydlink Android Applications
|
All Versions
|
Not Affected |
SmartPlug Application |
All Versions |
Not Affected |
NVR-View |
All Versions |
Not Affected |
CAM-View |
All Versions |
Not Affected |
Security patches for your D-Link Product
Firmware updates lised above address the security vulnerabilities in affected D-Link products. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.