• Home Support Forums Security Advisories Shop     English | French
Security Announcement
Announcement > SAP10053
DIR-815 :: Rev. Bx :: Command Injection :: FW 2.03b01 and below
Publication ID: SAP10053
Resolved Status: Partial
Published on: 9 March 2015 4:43 GMT
Last updated on: 9 March 2015 4:43 GMT

 

Overview

 

D-Link was presented with a report of a potential vulnerability in the DIR-815 by a third-party who conducted security penetration tests.   The vulnerability reportedly when submitting a POST request to command.php with the following a specifc string, it is possible to get a directory listing from the device. Using this knowledge malicous user with access to the LAN side of the device may use the vulnerability to to obtain the device password.

 

References

 

John R. Cloonan :: Contact :: CVE-2014-8888 :: Initially November 10, 2014

 

Brennan Brezeau and Paul Ionesou :: Proof of Concept  :: November 10, 2014

 

 

Description

 

A reference or a link to the original report by the third-party author is provided above.  This third-party’s report is not created by D-Link.  We encourage you to reference the third-party’s original post and contact the author if you have any questions about the vulnerability.

 

Please note these vulnerabilities may present potential LAN-Side or in-home risks.  The affected devices have a feature, which is default off/disabled, that allows remote administrative access. If the user turns this feature on/enabled, they may potentially put the device at risk to these attacks from the outside/internet.

 

In addition, some of these reported vulnerabilities require observing a LAN-Side user or tricking a user browser to gain access. To observe a user configuring the device, requires access to your home network or the use of other security exploits of other home network devices, like your personal computer, tablets, mobile phones, not related to the device.

 

1) Command Injection

 

       a) Command Injection of malicious code that is unchecked by command.php.  

 

Recommendations

 

Disable remote administrative access and/or verify the device’s remote administrative access feature is disabled.

 

Check router device history for any unauthorized access.

 

All devices on your network should have log-in credentials and if your network has WiFi, please make sure WiFi encryption-keys are enabled. Also for devices that cannot notify the owner of a new software updates, check for updates from the devices manufacture.

 

Immediately update to the fixed firmware referenced in the table below as they are made available. Please continue to monitor this page for further updates and disclourses.

 

D-Link recommends that your D-Link router remote network management feature be disabled (factory default is disabled) to mitigate a malicious remote user using this vulnerability to exploit your router.  If remote network management is disabled, a malicious user would require to be on the local network side of the router or have compromised another device on the network that could be used to attack the router.

 

D-Link recommends that all PCs (Window or Mac) be up-to-date and scanned for virus, bots, or other damaging software that could compromise the network they are connected.

 

WiFi encryption reduces the risk to this vulnerability if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption, or PC using the Web-GUI utility, in order to monitor the traffic and intercept the cookie. 

 

The default configuration of D-Link's routers is to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems (D-Link US) reminds customers to configure their devices specifically to  and for security concerns within their network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enabling WiFi encryption, monitoring the routers log files, and access-lists for your devices so security risks for your entire network are minimized.

 

Affected Product

 

Model Name

HW Version

Vulnerable FW Versions

Current FW Versions   (include fixes)

DIR-815

Ax

Bx

Rev. Ax :: Not Affected

Rev. Bx : v2.03b01 and below

Rev Ax :: Not Affected

Rev. Bx Release: v2.03b02 and later

 

 

Security patch for your D-Link Devices

 

These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.