• Home Support Forums Security Advisories Shop     English | French
Security Announcement
Announcement > SAP10060
D-Link Router : HTTP Buffer Overflow
Publication ID: SAP10060
Resolved Status: Partial
Published on: 17 July 2015 4:24 GMT
Last updated on: 14 August 2015 11:54 GMT

Overview

 Several of D-Link's Wireless Routers contain buffer overflow and command injection vulnerabilities involving HTTP authentication.  These vulnerabilities have been identified and reported to D-Link by a security researcher.


 

References

Samuel Huntley - Contact : Link

 
 

Description

Several D-Link routers suffer from buffer overflow vulnerabilities involving HTTP Authentication.


Attacks may require access to the LAN of the router (or remote management to be enabled),  or even the assistance of an authenticated used in order to deploy the attack.  Cross-Site Request Forgery may allow a remote attacker to take advantage of an unwitting victim.


D-Link recommends users not enable remote management on their routers in order to limit their exposure to malicious users.


D-Link recommends of strong wireless keys to help prevent unauthorized users on your network.

 

 

 

Affected Product

 

Model Name

HW Version

Vulnerable FW Versions

Current FW Versions   (include fixes)
DIR-601  B1  

 Under Investigation


(Updated: 07/17/2015)
DIR-645  A1   v. 1.05b01 and older

FW ETA 07/31/2015

FW: 1.06B01

Release Notes: Link


(Updated: 07/17/2015)
DIR-815  B1  v. 2.04b01 and older

 FW ETA 07/31/2015

FW: 2.05B01

Release Notes: Link

 

(Updated: 07/17/2015)
DIR-817LW  A1  v. 1.06b04 and older

 FW: 1.04b02

Release Notes: Link

 

(Updated: 07/17/2015)
DIR-818LW  B1  v. 1.04FBb01 and older

 FW: 2.05b03

Release Notes: Link

 

(Updated: 07/17/2015)
DIR-825

C1

 

 Under Investigation


(Updated: 07/17/2015)
DIR-866  A1  v. 1.01 and older

 FW: 1.03b01

Release Notes: Link

 

(Updated: 07/17/2015)
DIR-880L  A1  v. 1.04WWb01 and older

 FW: 1.05wwb01_f73b

Release Notes: Link

 

(Updated: 07/17/2015)
DIR-880L  A1  1.04FBb01 and older

 FW: 1.05fbb01_f76i

Release Notes: Link

 

(Updated: 07/17/2015)
DIR-890L  A1  1.06b04 and older

 FW: 1.07B011

Release Notes: Link

 

(Updated: 07/17/2015)

 

 

Security patch for your D-Link Devices

 

These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.