Overview
The Following D-Link SmartPro Switches contain a vulnerability due to the use of the OpenSSL software stack. An attacker using a carefully crafted handshake can force the use of weak encryption on OpenSSL SSL/TLS clients and these D-Link SmartPro Switches. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic between the client and device. The attack can only be performed between OpenSSL clients *and* devices that utilize OpenSSL like the affected D-Link SmartPro Switch.
References
OpenSSL - Link
Lepidum - Link
Description
OpenSSL’s ChangeCipherSpec processing has a vulnerability that can be exploited by a man-in-the-middle attack. This vulnerability allows malicious host to intercept encrypted data and decrypt them between a device and client using OpenSSL, This malicious host can then force SSL clients to use weak keys exposing the communication between the now, exploited hosts. Both OpenSSL servers and OpenSSL clients are affected by this vulnerability, and should be updated immediately. This vulnerability is easily reproducible and it is very likely for attackers to utilize this vulnerability for targeted attacks.
Recommendations
All devices on your network should have log-in credentials and if your network has WiFi, please make sure WiFi encryption-keys are enabled. Also for devices that cannot notify the owner of new software updates, check for updates from the device manufacturer.
Immediately update to the fixed firmware referenced in the table below as they are made available. Please continue to monitor this page for further updates and disclosures.
D-Link recommends keeping all PCs (Windows or Mac) up-to-date and scanned for viruses, malware, bots, or other damaging software that could compromise the local network they are connected to.
Affected Product
|
Model Name
|
HW Version
|
Vulnerability Discovered
|
Vulnerable FW Versions
|
Current FW Versions (include fixes)
|
|
DGS-1210-20
|
C1
|
07/17/2014
|
All FW older than v4.00.041
|
v 4.00.B055 (10/27/2014)
Release Notes: Link
|
|
DGS-1210-28
|
C1
|
07/17/2014
|
All FW older than v4.00.012
|
v 4.00.B055 (10/27/2014)
Release Notes: Link
|
|
DGS-1210-28P
|
C1
|
07/17/2014
|
All FW older than v4.00.043
|
v 4.00.B055 (10/27/2014)
Release Notes: Link
|
|
DGS-1210-52
|
C1
|
07/17/2014
|
All FW older than v4.00.025
|
v 4.00.B055 (10/27/2014)
Release Notes: Link
|
|
Model Name
|
HW Version
|
Vulnerability Discovered
|
Vulnerable FW Versions
|
Current FW Versions (include fixes)
|
|
DGS-1500.20
|
A1,A2
|
07/17/2014
|
All FW older than v2.51.005
|
V 2.51.B007 (10/27/2014)
Release Notes: Link
|
|
DGS-1500-28
|
A1,A2
|
07/17/2014
|
All FW older than v2.51.005
|
V 2.51.B007 (10/27/2014)
Release Notes: Link
|
|
DGS-1500-28P
|
A1,A2
|
07/17/2014
|
All FW older than v2.51.005
|
V 2.51.B007 (10/27/2014)
Release Notes: Link
|
|
DGS-1500-52
|
A1,A2
|
07/17/2014
|
All FW older than v2.51.005
|
V 2.51.B007 (10/27/2014)
Release Notes: Link
|
Security patch for your D-Link Devices
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.