Overview
On December 10, 2022, a 3rd party security researcher accused the DIR-842v2 of having multiple command injection vulnerabilities.
As soon as D-Link was aware of the reported security issues, we started our investigation, confirmed the report, and developed security patches.
D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.
Report information
- Reported:
- stefan _dot_ octavian _dot_ trifescu _at_ gmail _dot_ com
Report Details
- Command Injection #1: A command injection was found in the HTTP server, in binary aweb in function action_iperf. This functionality can be accessed by sending a specific command throw web sockets. The vulnerability appears due to a lack of checking several parameters. (Beta HotFix Released Below)
- Command Injection #2: A command injection was found in the Restore functionality. The uploaded configuration file needs to be correctly verified before being loaded. The vulnerable field Shell designates which program to run when enabling telnet service and can be modified to bypass authentication from a telnet connection. (Beta HotFix Released Below)
Affected Models
Model
|
Hardware Revision
|
Region
|
Affected FW
|
Fixed FW
|
Recommendation
|
Last Updated
|
DIR-842v2
|
All A Series Hardware Revisions
|
Non-US
|
v1.0.3 & Below
|
Beta_Hotfix
|
Upgrade to Hofix Patch
|
06/12/2023
|
Regarding the Security patch for your D-Link Devices
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually, and we strongly recommend that all users install the relevant updates.
Please note that this device's beta software, beta firmware, or hot-fix release is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an “as is” and “as available” basis, and the user assumes all risk and liability for the use thereof. D-Link does not offer any express or implied warranties regarding the suitability or usability of the beta firmware. D-Link will not be liable for any loss, whether direct, indirect, special, or consequential, suffered by any party due to their use of the beta firmware.
As our products have different hardware revisions, please check this on your device before downloading the corresponding firmware update. The hardware revision information is usually found on the product label on the underside next to the serial number. Alternatively, they can also be found on the device web configuration.