Overview

D-Link Corporation recommends all network attached storage and network video recorders be connected behind an adeqate firewall system that restricts access to local LAN only. Until report is completely verified and patches available if necessary, we do not recommend exposing these D-Link device to internet traffic.

A 3rd party has performed an independent security assessment on D-Link storage devices. The report has identified unique vulnerabilities in these product using the public available firmware classified as:

• Authentication can be bypassed.
• Some implemented security features may introduce command injection exploits.
• Unauthenticated file upload.
• Default users (root, nobody) can be used during authentication, and the administrator cannot change the default (empty) password of these users from the device web GUI.

References

SEARCH-LAB :: Link :: Disclosure May 27, 2015

SEARCH-LAB :: Link :: Original Report :: Initially July 30, 2014

CVE-2014-7857 :: Authentication bypass vulnerability

CVE-2014-7858 :: Check_login bypass vulnerability in DNR-326

CVE-2014-7859: Buffer overflow in login_mgr.cgi and in file_sharing.cgi

CVE-2014-7860: Unauthenticated photo publish

Description

The 3rd party has published details in a full report lined in the Reference section. In order to maintain authenticity of the report we recommend any questions be directed toward the 3rd party at this time.

Recommendations

All devices on your network should have log-in credentials. If your network has WiFi, please make sure WiFi encryption-keys are enabled. For devices that cannot notify the owner of a new software updates, check for updates from the devices manufacture. For D-Link devices you can find them at http://support.dlink.com

Immediately update to the patched firmware referenced in the table below once they are made available. Please continue to monitor this page for further updates and disclourses.

D-Link recommends that your D-Link device remote network management feature be disabled (factory default is disabled) to mitigate a malicious remote user using this vulnerability to exploit your device.  If remote network management is disabled, a malicious user would require to be on the local network side of the network or have compromised another device on the network that could be used to attack the device.

D-Link recommends that all PCs (Window or Mac) be up-to-date and scanned for virus, bots, or other damaging software that could compromise the network they are connected.

WiFi encryption reduces the risk to this vulnerability if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption, or PC using the Web-GUI utility, in order to monitor the traffic and intercept the cookie. 

The default configuration of D-Link's devices is to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems (D-Link US) reminds customers to configure their devices specifically to  and for security concerns within their network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enabling WiFi encryption, monitoring the routers log files, and access-lists for your devices so security risks for your entire network are minimized.

Affected Product

Security patch for your D-Link Devices

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.