• Home Support Forums Security Advisories Shop     English | French
Security Announcement
Announcement > SAP10414
(non-US) DSL-6740C :: All H/W Revisions :: End-of-Life / End-of-Service :: CVE-2024-11068 - Unauthorized Configuration Access Vulnerability
Publication ID: SAP10414
Resolved Status: Yes
Published on: 12 November 2024 5:54 GMT
Last updated on: 19 November 2024 12:19 GMT

 

 

Overview  

 

The (Non-US Available) DSL-6740C, all hardware revisions, reached their end-of-life ("EOL") /end-of-service-life ("EOS") Life Cycle on January 15, 2024. D-Link US recommends retiring and replacing D-Link devices that have reached EOL/EOS. Please contact your regional office for recommendations (LINK).

As a general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products ceases.  Please read the information and recommendations below.
 

3rd Party Report information

  
    - Reports provided: 
 

          - Report 1: CVE-2024-11068: Link   Disclosed 11/11/2024

                      DESC : Incorrect Use of Privileged APIs vulnerability, allowing unauthenticated remote attackers to modify any user's password by leveraging the API, thereby granting access to Web, SSH, and Telnet services using that user's account.

                      CNA   : TWCERT/CC:  9.8 CRITICAL

                                 : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

                     CWD-648: Incorrect Use of Privileged APIs 

                                 : Author Public Disclosure Link

 

          - Report 2: CVE-2024-11062: Link   Disclosed 11/11/2024

                      DESC : OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject and execute arbitrary system commands through a specific functionality provided by SSH and Telnet.

                      CNA:  TWCERT/CC  Base Score:  7.2 HIGH

                                 : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

                     CWE-78:  Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

                                 : Author Public Disclosure Link

  

          - Report 3: CVE-2024-11063: Link   Disclosed 11/11/2024

                      DESC : OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject and execute arbitrary system commands through a specific functionality provided by SSH and Telnet.

                      CNA:  TWCERT/CC  Base Score:  7.2 HIGH

                                  : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

                     CWE-78:  Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

                                 : Author Public Disclosure Link

 

         - Report 4: CVE-2024-11064: Link   Disclosed 11/11/2024

                      DESC : OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject and execute arbitrary system commands through a specific functionality provided by SSH and Telnet.

                      CNA:  TWCERT/CC  Base Score:  7.2 HIGH

                                  : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

                     CWE-78:  Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

                                 : Author Public Disclosure Link

 

         - Report 5: CVE-2024-11065: Link   Disclosed 11/11/2024

                      DESC : OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject and execute arbitrary system commands through a specific functionality provided by SSH and Telnet.

                      CNA:  TWCERT/CC  Base Score:  7.2 HIGH

                                  : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

                     CWE-78:  Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

                                 : Author Public Disclosure Link

 

         - Report 6: CVE-2024-11066: Link   Disclosed 11/11/2024

                      DESC : OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject and execute arbitrary system commands through a specific functionality provided by SSH and Telnet.

                      CNA:  TWCERT/CC  Base Score:  7.2 HIGH

                                  : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

                     CWE-78:  Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

                                 : Author Public Disclosure Link

  

         - Report 6: CVE-2024-11067: Link   Disclosed 11/11/2024

                      DESC : Path Traversal Vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read arbitrary system files. Additionally, since the device's default password is a combination of the MAC address, attackers can obtain the MAC address through this vulnerability and attempt to log in to the device using the default password.

                      CNA:  TWCERT/CC  Base Score:  7.5 HIGH

                                  : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

                     CWE-23: Relative Path Traversal

                                 : Author Public Disclosure Link

 

Affected Models

 

Model

Region

Hardware Revision

End of Support

Legacy Website

Last Updated

DSL-6740C

Non-US

All Series H/W Revisions

01/15/2024

 Non-US : No

11/12/2024

 

Recommendation for End-of-Support/End-of-Life Products


From time to time, D-Link decides that some of its products have reached the End of Support ("EOS") or End of Life (“EOL”). D-Link may choose to EOS/EOL a product due to technological evolution, market demands, innovations, product efficiencies based on new technologies, or the product maturing over time and should be replaced by functionally superior technology.

 

For US Consumer

   
If a product has reached the End of Support ("EOS") or End of Life ("EOL"), it is usually not supported or developed further.

 

Typically, D-Link cannot resolve device or firmware issues for these products since all development and customer support have ceased. 

 

D-Link strongly recommends that this product be retired and cautions that further use may risk connected devices. If US consumers continue to use these devices against D-Link's recommendation, please ensure that the device has the most recent firmware, frequently updates its unique password to access its web configuration, and always has WIFI encryption enabled with a unique password.