Support Announcements
DGS-1210-xx Rev. C1 / DGS-1500-xx Rev. Ax - OpenSSL CCS Injection Vulnerability

Overview

 

The Following D-Link SmartPro Switches contain a vulnerability due to the use of the OpenSSL software stack. An attacker using a carefully crafted handshake can force the use of weak encryption on OpenSSL SSL/TLS clients and these D-Link SmartPro Switches. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic between the client and device. The attack can only be performed between OpenSSL clients *and* devices that utilize OpenSSL like the affected D-Link SmartPro Switch.

 

References 

OpenSSL - Link

Lepidum - Link

 
Description

 

OpenSSL’s ChangeCipherSpec processing has a vulnerability that can be exploited by a man-in-the-middle attack. This vulnerability allows malicious host to intercept encrypted data and decrypt them between a device and client using OpenSSL, This malicious host can then force SSL clients to use weak keys exposing the communication between the now, exploited hosts. Both OpenSSL servers and OpenSSL clients are affected by this vulnerability, and should be updated immediately. This vulnerability is easily reproducible and it is very likely for attackers to utilize this vulnerability for targeted attacks.

 

 Recommendations

 

All devices on your network should have log-in credentials and if your network has WiFi, please make sure WiFi encryption-keys are enabled. Also for devices that cannot notify the owner of new software updates, check for updates from the device manufacturer.

Immediately update to the fixed firmware referenced in the table below as they are made available. Please continue to monitor this page for further updates and disclosures.

D-Link recommends keeping all PCs (Windows or Mac) up-to-date and scanned for viruses, malware, bots, or other damaging software that could compromise the local network they are connected to.

 

Affected Product

 

   Model Name

HW Version

Vulnerability Discovered

Vulnerable FW Versions

Current FW Versions   (include fixes)

DGS-1210-20

C1

 07/17/2014

 All FW older than v4.00.041

v 4.00.B055 (10/27/2014)

Release Notes: Link

DGS-1210-28

C1

  07/17/2014

All FW older than v4.00.012

v 4.00.B055 (10/27/2014)

Release Notes: Link

DGS-1210-28P

C1

  07/17/2014

 All FW older than v4.00.043

v 4.00.B055 (10/27/2014)

Release Notes: Link

DGS-1210-52

C1

  07/17/2014

 All FW older than v4.00.025

v 4.00.B055 (10/27/2014)

Release Notes: Link

 

   Model Name

HW Version

Vulnerability Discovered

Vulnerable FW Versions

Current FW Versions   (include fixes)

DGS-1500.20

A1,A2

  07/17/2014

  All FW older than v2.51.005

V 2.51.B007 (10/27/2014)

Release Notes: Link

DGS-1500-28

A1,A2

  07/17/2014

 All FW older than v2.51.005

V 2.51.B007 (10/27/2014)

Release Notes: Link

DGS-1500-28P

A1,A2

  07/17/2014

  All FW older than v2.51.005

V 2.51.B007 (10/27/2014)

Release Notes: Link

DGS-1500-52

A1,A2

  07/17/2014

 All FW older than v2.51.005

V 2.51.B007 (10/27/2014)

Release Notes: Link

 

Security patch for your D-Link Devices

 

These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.