• Home Support Forums Security Advisories Shop     English | French
Support Announcement
OpenSSL Security Vulnerability - aka. "Heartbleed Bug" - CVE-2014-0160 - Security Incident Response for D-Link Devices and Services

 

Overview

 On April 7, 2014, CVE-2014-0160 at Mitre was published (also know as the "Heartbleed Bug") describing a security vulnerability with the OpenSSL software library. SSL/TLS communication over the internet is the most common form of encryption to protect critical data between device to device, device to user, and device to service. SSL/TLS communication is most commonly recognized when using a web browser and a secure web site/address is accessed with https://...
 
Quoted from the "Heartbleed Bug" site:


       "This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)."
 
        "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

D-Link is investigating all devices and systems that utilize the OpenSSL software library to determine if our devices and customers are affected by this security vulnerability. You will find current status below and can contact us at security@dlink.com about specific questions.


D-Link Security Incident Reponse Policy
 
All public communication on this issue will be offered at http://securityadvisories.dlink.com/security/

Our security response team can be contacted for incident information or to report incidents at security@dlink.com

Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.
 

Reference

Heartbleed Site - Link - Many references and details regarding this issue

 

Mitre - CVE-2014-0160 - Link

 

OpenSSL - Post - Link
 


General Disclosure

Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.  We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link product.

 

Immediate Recommendations for all D-Link customers

 

  • Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet.  Remote Management is default disabled on all D-Link Routers and is included for customer care troubleshooting if useful and the customer enables it.

 

  • If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.

 

  • Make sure that your wireless network is secure.

 

  • Do not provide your admin password to anyone. If required we suggest updating the password frequently.

 

Description

We encourage users to read the links provided in the References section so we do not misinterpret, misuse, or create duplicate effort to reporting security issues.



From OpenSSL:

      TLS heartbeat read overrun (CVE-2014-0160):

      Any device that deployed OpenSSL version  1.0.1 and 1.0.2-beta are affected, this includes 1.0.1f and 1.0.2-beta1.

      A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

 

Affected Products and Services

 

     General guidelines to check for all devices that may be infected

OpenSSL
•    Affected Version:1.0.1 ~ 1.0.1f / 1.0.2-beta
•    Version Name to fix:1.0.1g / 1.0.2-beta1
•    Affected Linux Distribution

o    Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
o    Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
o    CentOS 6.5, OpenSSL 1.0.1e-15
o    Fedora 18, OpenSSL 1.0.1e-4
o    OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
o    FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
o    NetBSD 5.0.2 (OpenSSL 1.0.1e)
o    OpenSUSE 12.2 (OpenSSL 1.0.1c)

    

     mydlink device cloud services
 

     - mydlink cloud service and mydlink web-portal is not affected by this security vulnerability

     - some mydlink devices are affected and we are preparing a list and schedule of fixes that will be updated below

 

    D-Link Devices

 

    Consumer Wired/Wireless Routers

 

                                           Note:  Each product that utilizes the OpenSSL software library is listed below with status. 

                            If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DIR-505 & DIR-505L A1/A2 All Firmware Not Affected
DIR-508L A1 All Firmware Not Affected
DIR-510L A1 All Firmware Not Affected
DIR-518L A1 All Firmware Not Affected

DIR-600L

A1/B1

All Firmware

Not Affected
DIR-605L A1/B1 All Firmware Not Affected
DIR-619L A1/B1 All Firmware Not Affected
DIR-636L A1 All Firmware Not Affected
DIR-900L A1 All Firmware
Not Affected
DIR-905L A1/B1 All Firmware Not Affected
DIR-808L A1 All Firmware Not Affected
DIR-810L A1 All Firmware Not Affected
DIR-816L A1 All Firmware Not Affected
DIR-817L A1 All Firmware Not Affected
DIR-820L A1/B1 All Firmware Not Affected
DIR-820L-CV1 A1 All Firmware Not Affected
DIR-820L-CV2 A1 All Firmware Not Affected
DIR-826L A1 All Firmware Not Affected
DIR-845L A1 All Firmware Not Affacted
DIR-850L A1 All Firmware Not Affected
DIR-855L A1 All Firmware Not Affected
DIR-860L A1 All Firmware Not Affected
DIR-865L A1 All Firmware Not Affected
DIR-868L A1 All Firmware Not Affected
DIR-868L-CV A1 All Firmware Not Affected
DIR-880L A1 All Firmware Not Affected
DIR-505L A1/A2 All Firmware Not Affected
VDI-604 All Revisions All Firmware Not Affected
VDI-624 All Revisions All Firmware Not Affected

 

    Broadband DSL/Cable/Fiber Wired/Wireless Routers

 

                                           Note:  Each product that utilizes the OpenSSL software library is listed below with status. 

                            If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DSL-2640R

All Revisions

All Firmware

Not Affected
DSL-2740R All Revisions All Firmware Not Affected
DSL-2750B All Revisions All Firmware Not Affected
DSL-2750-SG All Revisions All Firmware Not Affected
DSL-2680 All Revisions All Firmware Not Affected
DSL-2780 All Revisions All Firmware Not Affected
DSL-3680 All Revisions All Firmware Not Affected
DSL-3780 All Revisions All Firmware Not Affected
DSL-3882 All Revisions All Firmware Not Affected
DSL-6300V All Revisions All Firmware Not Affected
DCM Broadband Family All Revisions All Firmware Not Affected
DWR Broadband Family All Revisions All Firmware Not Affected
DWR-330-SG All Revisions All Firmware Not Affected

 

     Business VPN/Services Routers

 

                                           Note:  Each product that utilizes the OpenSSL software library is listed below with status. 

                            If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.

 

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DSR Service Router Family

All Revisions

All Firmware

Not Affected
DFL Firewall Family All Revisions All Firmware Not Affected

 

 

    Business and Consumer WiFi Access Points/Media Bridges/Extenders/Repeaters

 

                                           Note:  Each product that utilizes the OpenSSL software library is listed below with status. 

                            If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DAP Access Point Family All Revisions All Firmware Not Affected

DAP Bridge Family

All Revisions

All Firmware

Not Affected
DAP Extender/Repeater Family All Revisions All Firmware Not Affected
DAP Managed Access Point Family All Revisions All Firmware Not Affected
DWL Unified Access Point All Revisions All Firmware Not Affected
DWC Unified Wireless Controller Family All Revisions All Firmware Not Affected
DAP Cloud-Service Access Point Family All Revisions All Firmware Not Affected
DHP Powerline Family All Revisions All Firmware Not Affected
DXN HPNA/MOCA Family All Revisions All Firmware Not Affected
DEM Media Converter Family All Revisions All Firmware Not Affected

 

    Consumer and Business Wired Switches

 

                                           Note:  Each product that utilizes the OpenSSL software library is listed below with status. 

                            If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DES Wired Switch Family

All Revisions

All Firmware

Not Affected
DGS Wired SwitchFamily All Revisions All Firmware Not Affected
DXS Wired Switch Family All Revsions All Firmware Not Affected
DWS Unified Wireless Switch Family All Revisions All Firmware Not Affected
72xx Chassie Switch Family All Revisions All Firmware Not Affected

 

 

    Business and Consumer Storage

 

                                          Note:  Each product that utilizes the OpenSSL software library is listed below with status. 

                            If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DNS-320 Ax/Bx All Firmware Not Affected
DNS-320L All Revisions All Firmware Not Affected
DNS-325 All Revisions All Firmware Not Affected
DNS-327L Ax 1.01 Affected

Firmware: 1.02

Release Notes

DNR-312L All Revisions All Versions Not Affected

DNR-322L

All Revisions

All Versions

Not Affected

DNR-326

All Revisions All Versions Not Affected
DNR-2060-08P All Revisions All Versions Not Affected
DNS-1200-04 All Revisions All Versions Not Affected
DNS-1200-06 All Revisions All Versions Not Affected
DNS-1550-04 All Revisions All Versions Not Affected
DNS-1100-04 All Revisions All Versions Not Affected
DNS-1200-05 All Revisions All Versions Not Affected

 

 

 

    Network (IP) Camera (including mydlink consumer cameras)

 

                                          Note:  Each product that utilizes the OpenSSL software library is listed below with status. 

                            If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DCS-8xxL Family All Revisions All Versions Not Affected

DCS-9xxL Family

All Revisions

All Versions

Not Affected
DCS-2xxxL Family All Revisions All Versions Not Affected
DCS-3xxxL Family All Revisions All Versions Not Affected
DCS-5xxxL Family Most Revisions    (exception below)

Most Versions      (exception below)

Not Affected             (exception below)

DCS-6xxxL Family All Revisions All Versions Not Affected
DCS-7xxxL Family All Revisions All Versions Not Affected
Specific Exceptions
     
DCS-5615 Ax 1.00

Firmware: 1.01

Release Notes



   Smart/Connected Home Devices

 

                                          Note:  Each product that utilizes the OpenSSL software library is listed below with status. 

                            If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DCH Extender Family All Revisions All Versions Not Affected

DSP Smart Plug Family

All Revisions

All Versions

Not Affected
DSP Smart Sensory Family All Revisions All Versions Not Affected

 

   Networking Interface Cards (PCIe, USB, PCCard)

 

                                          Note:  Each product that utilizes the OpenSSL software library is listed below with status. 

                            If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DE/DFE Adapter Family All Revisions All Versions Not Affected

DGS Adapter Family

All Revisions

All Versions

Not Affected
DWL/DWA Adapter Family All Revisions All Versions Not Affected

 

    Print Servers and USB Devices

 

                                          Note:  Each product that utilizes the OpenSSL software library is listed below with status. 

                            If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DP print server Family All Revisions   Not Affected

DUB USB Device Family

All Revisions


Not Affected

 

   Multimedia Players Devices

 

                                          Note:  Each product that utilizes the OpenSSL software library is listed below with status. 

                            If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.

 

Model Name

HW Version

Current FW Version

New FW Version for this exploit fix

DSM-380 BoxeeBox All Revisions   Not Affected

DSM-382 BoxeeTV

All Revisions


Not Affected
DSM-310/312 MovieNight All Revisions   Not Affected

 

    D-Link Software and Services

 

                                          Note:  Each product that utilizes the OpenSSL software library is listed below with status. 

                            If your product is not listed, it does not include the OpenSSL Library and is not affected by this security vulnerabilty.

 

Model Name

HW Version

New FW Version for this exploit fix

mydlink cloud portal and service All versions Not Affected

D-View SNMP Mgt. System

All versions

Not Affected
D-View Cam System All versions Not Affected
D-View VPN Client All versions Not Affected
D-Link Cloud Command AP manager All versions Not Affected
3rd Party multimedia streams on DSM media player family D-Link product Not Affected Please consult service website for information.
3rd Party software support for DNS storage family D-Link product Not Affected  Please consult service website for information.
3rd Party cloud service for DAP access point family D-Link product Not Affected  Please consult service website for information.

 

                  mobile applications

     

Model Name

Current FW Version

New FW Version for this exploit fix

mydlink iOS Applications All Versions  Not Affected

mydlink Android Applications

All Versions

 Not Affected
SmartPlug Application All Versions  Not Affected
NVR-View All Versions  Not Affected
CAM-View All Versions  Not Affected

 

 

Security patches for your D-Link Product

 

Firmware updates lised above address the security vulnerabilities in affected D-Link products. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.