Overview

D-Link has received a report that an attacker who is able to intercept and modify the DAP-1320's traffic while a user is checking for new firmware through the web UI will be able to inject commends in the server's response.  Injected commands will be executed if the user attempts to update the DAP-1320's firmware through the provided dialog.


References

Allen Harper - Tangible Security - disclosures@TangibleSecurity.com - Link

CERT Vulnerability ID :: VU#184100

NIST Vulnerability ID :: CVE-2015-2050

Details

When the DSP-1320 checks for the availability of new firmware, it pulls an XML file from a D-Link server.

If an attacker is able to intercept and modify that request, the XML file that is returned could been modified by an attacker to indicate that an updated firmware is available, and to include an injected command in place of the firmware's download location.

The user would then be presented with a dialog indicating that new firmware is available for their DAP-1320.

If the user instructs the DAP-1320 to upgrade to that version using the dialog on the DAP-1320, the attacker's command will be executed.

If the attacker has local network access and is able to authenticate to the DAP-1320, they could perform this attack without assistance from a legitimate user.


Affected Product

 
Security patch for your D-Link Devices
 
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.