Overview
important: DCS-930L/932L/942L cameras sold in US no longer utilize a CD-Based installation application. As of July 2013, these CD-Based setup applications would not allow the user to successfully install the camera because of many changes in fimrware, authentication, and cloud services. Since it may be possible to purchase older stock from D-Link sales channel and one of our users could attempt to use the CD-Based installation we are posting this advisory for the knowledge-base. ALL users should be downloading the latest offered setup applications from mydlink.com as instructed which will also check and instruct the user to upgrade device firmware if needed.
The DCS-930L, DCS-932L, DCS-942L, and DCS-5222L setup wizard application was found to have a vulnerability during the operation. Setup wizards are meant to provide users a quick and easy way to configure new devices. The window of vulnerability is considered small since the setup is to be performed in-home behind an existing router/firewall, and during the time of factory-new configuration start up to running the CD-Based setup wizard which will force you to change the device admin password which is not exchanged plain-text.
D-Link Security Incident Reponse Policy
All public communication on this issue will be offered at http://securityadvisories.dlink.com/security/
Our security response team can be contacted for incident information or to report incidents at security@dlink.com
Any non-critical security issue, help in updating firmware, or configuration regarding this issue please contact your D-Link Customer care channel.
Reference
Jason Doyle - Fishnet security - Disclosure June 14, 2012 - CVE-2012-4046
SecList Bugtraq - Password Disclosure - Disclosure Dec. 13, 2012
ConsoleCowboys - Open Sesame - Disclosure Dec. 27, 2012
General Disclosure
Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed. We will continue to update this page to include the relevant product firmware updates addressing these concerns. In the meantime, you can exercise the below cautions to avoid unwanted intrusion into your D-Link router.
Immediate Recommendations for all D-Link customers
- Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet. Remote Management is default disabled on all D-Link products and is included for customer care troubleshooting if useful and the customer enables it.
- If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
- Make sure that your wireless network is secure.
Details
Prior to mid-2012, the D-Link mydlink camera CD-Based Setup Wizard during a factory-new device installation, will first send an anonymous request to the camera to retrieve its current password to then validate the user supplied password. However, the camera does not authenticate the requestor during the password request, so anyone (authorized or unauthorized) can mimic the wizard and send the same request, tricking the camera into giving up its password.
Effected Products
Note this is for all North American Versions only (mydlink devices are geolock to provide best cloud service performance)
|
Model Name
|
HW Version
|
Vulnerable FW & Setup Wizard
|
Current Versions with fix
|
|
DCS-930L
|
Ax/Bx
|
v1.02 and lower
|
Setup: 1.04.07
FW: 1.08B04
|
|
DCS-932L
|
Ax/Bx
|
v1.03 and lower
|
Setup: 1.04.07
FW: 1.06B04
|
|
DCS-942L
|
Ax
|
v1.02 and lower
|
Setup: 1.04.07
FW: 1.22
|
|
DCS-5222L
|
Ax
|
1.02 and lower
|
Setup: 1.04.07
FW: 1.11
|
Security patch for your D-Link cameras
These firmware updates address the security vulnerabilities in affected D-Link cameras. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The version of Setup Wizard application posted above will check fimrware version and request the user to upgrade. In addition, the mydlink mobile camera app. checks latest firmware and requests upgrade if necessary everytime the camera is accessed.
DCS-930L Revision Ax/Bx
The new firmware 1.06B04 that fixes the security vulnerabilities
Setup: 1.04.07
FW: 1.08B04
Please folllow the instructions in the Setup Wizard to upgrade firmware
DCS-932L Revision Ax/Bx
The new firmware 1.06B04 that fixes the security vulnerabilities
Setup: 1.04.07
FW: 1.06B04
Please folllow the instructions in the Setup Wizard to upgrade firmware
DCS-942L Revision Ax
The new firmware 1.22 that fixes the security vulnerabilities
Setup: 1.04.07
FW: 1.22
Please folllow the instructions in the Setup Wizard to upgrade firmware
DCS-5222L Revision Ax
The new firmware 1.22 that fixes the security vulnerabilities
Setup: 1.04.07
FW: 1.11