• Home Support Forums Security Advisories Shop     English | French
Security Announcement
Announcement > SAP10009
DCS-930L/932L/942L - (Pre-2012) CD-Based Setup Wizard exposes plain-text administrative passwords during installation
Publication ID: SAP10009
Resolved Status:
Published on: 19 December 2013 11:13 GMT
Last updated on: 17 March 2014 10:55 GMT
 

Overview

 

importantDCS-930L/932L/942L cameras sold in US no longer utilize a CD-Based installation application. As of July 2013, these CD-Based setup applications would not allow the user to successfully install the camera because of many changes in fimrware, authentication, and cloud services.  Since it may be possible to purchase older stock from D-Link sales channel and one of our users could attempt to use the CD-Based installation we are posting this advisory for the knowledge-base.  ALL users should be downloading the latest offered setup applications from mydlink.com as instructed which will also check and instruct the user to upgrade device firmware if needed.

 

The DCS-930L, DCS-932L, DCS-942L, and DCS-5222L setup wizard application was found to have a vulnerability during the operation. Setup wizards are meant to provide users a quick and easy way to configure new devices. The window of vulnerability is considered small since the setup is to be performed in-home behind an existing router/firewall, and during the time of factory-new configuration start up to running the CD-Based setup wizard which will force you to change the device admin password which is not exchanged plain-text.

 

D-Link Security Incident Reponse Policy

 

All public communication on this issue will be offered at http://securityadvisories.dlink.com/security/

Our security response team can be contacted for incident information or to report incidents at security@dlink.com

Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.

 

 

Reference

 

Jason Doyle - Fishnet security -  Disclosure June 14, 2012 - CVE-2012-4046

SecList Bugtraq - Password Disclosure - Disclosure  Dec. 13, 2012 

ConsoleCowboys - Open Sesame  - Disclosure Dec. 27, 2012

 

General Disclosure

 

Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.  We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link router.

 

Immediate Recommendations for all D-Link customers

     

  • Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet.  Remote Management is default disabled on all D-Link products and is included for customer care troubleshooting if useful and the customer enables it.
  • If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
  • Make sure that your wireless network is secure.

 

Details

 

Prior to mid-2012, the D-Link mydlink camera CD-Based Setup Wizard during a factory-new device installation, will first send an anonymous request to the camera to retrieve its current password to then validate the user supplied password. However, the camera does not authenticate the requestor during the password request, so anyone (authorized or unauthorized) can mimic the wizard and send the same request, tricking the camera into giving up its password. 

 

Effected Products

 

Note this is for all North American Versions only (mydlink devices are geolock to provide best cloud service performance)

Model Name

HW Version

Vulnerable FW & Setup Wizard

Current Versions with fix

DCS-930L

Ax/Bx

v1.02 and lower

Setup: 1.04.07

FW: 1.08B04

DCS-932L

Ax/Bx

v1.03 and lower

Setup: 1.04.07

FW: 1.06B04

DCS-942L

Ax

v1.02 and lower

Setup: 1.04.07

FW: 1.22

DCS-5222L

Ax

1.02 and lower

Setup: 1.04.07

FW: 1.11

 

Security patch for your D-Link cameras

 

These firmware updates address the security vulnerabilities in affected D-Link cameras. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The version of Setup Wizard application posted above will check fimrware version and request the user to upgrade.  In addition, the mydlink mobile camera app. checks latest firmware and requests upgrade if necessary everytime the camera is accessed.

 

DCS-930L Revision Ax/Bx
The new firmware 1.06B04 that fixes the security vulnerabilities

 

Setup: 1.04.07

FW: 1.08B04

 

Please folllow the instructions in the Setup Wizard to upgrade firmware

 

DCS-932L Revision Ax/Bx
The new firmware 1.06B04 that fixes the security vulnerabilities

 

Setup: 1.04.07

FW: 1.06B04

 

Please folllow the instructions in the Setup Wizard to upgrade firmware

 

DCS-942L Revision Ax
The new firmware 1.22 that fixes the security vulnerabilities

 

Setup: 1.04.07

FW: 1.22

 

Please folllow the instructions in the Setup Wizard to upgrade firmware

 

DCS-5222L Revision Ax
The new firmware 1.22 that fixes the security vulnerabilities

 

Setup: 1.04.07

FW: 1.11 

 

Please folllow the instructions in the Setup Wizard to upgrade firmware