• Home Support Forums Security Advisories Shop     English | French
Support Announcement
(non-US) DIR-842v2 :: H/W Rev. Ax :: F/W v1.0.3 :: 2 x Command Injection vulnerabilities

 

 

Overview

 

On December 10, 2022, a 3rd party security researcher accused the DIR-842v2 of having multiple command injection vulnerabilities.  

 

As soon as D-Link was aware of the reported security issues, we started our investigation, confirmed the report, and developed security patches.

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.

   

Report information  

 

         - Reported:

 

                - stefan _dot_ octavian _dot_ trifescu _at_ gmail _dot_ com

 

Report Details

 

          - Command Injection #1: A command injection was found in the HTTP server, in binary aweb in function action_iperf. This functionality can be accessed by sending a specific command throw web sockets. The vulnerability appears due to a lack of checking several parameters. (Beta HotFix Released Below)

 

          - Command Injection #2: A command injection was found in the Restore functionality. The uploaded configuration file needs to be correctly verified before being loaded. The vulnerable field Shell designates which program to run when enabling telnet service and can be modified to bypass authentication from a telnet connection. (Beta HotFix Released Below)

 

Affected Models

 

Model

Hardware Revision

 Region

Affected FW

Fixed FW

Recommendation

 Last Updated

DIR-842v2

All A Series Hardware Revisions

Non-US

v1.0.3 & Below

Beta_Hotfix

Upgrade to Hofix Patch

06/12/2023

 

Regarding the Security patch for your D-Link Devices

 

Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually, and we strongly recommend that all users install the relevant updates.

 

Please note that this device's beta software, beta firmware, or hot-fix release is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an “as is” and “as available” basis, and the user assumes all risk and liability for the use thereof. D-Link does not offer any express or implied warranties regarding the suitability or usability of the beta firmware. D-Link will not be liable for any loss, whether direct, indirect, special, or consequential, suffered by any party due to their use of the beta firmware.

 

As our products have different hardware revisions, please check this on your device before downloading the corresponding firmware update. The hardware revision information is usually found on the product label on the underside next to the serial number. Alternatively, they can also be found on the device web configuration.