• October 05, 2024, 11:27:27 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: Firmware 1.20B02 Released - SECURITY PATCH  (Read 10132 times)

GreenBay42

  • Administrator
  • Level 11 Member
  • *
  • Posts: 2752
Firmware 1.20B02 Released - SECURITY PATCH
« on: October 06, 2017, 09:57:09 AM »

The ZIP file will include 2 firmware files, release notes, and instructions.

Install v1.15B02 first, reboot, then install 1.20b02, reboot. It is recommended to perform a hard reset (paper clip in reset hole for 10 seconds) after updating.

DO NOT SKIP v1.15B02. Updating to 1.20B02 directly will not fix all issues.


Firmware - ftp://FTP2.DLINK.COM/PRODUCTS/DIR-895L/REVA/DIR-895L_REVA_FIRMWARE_PATCH_v1.20B02.zip


Release Notes:

  • Add Firmware Protection to BIN file and System
  • WAN && LAN - XSS exploit  (CVE-2017-14413, CVE-2017-14414, CVE-2017-14415, CVE-2017-14416)
  • WAN - Weak Cloud protocol  (CVE-2017-14419, CVE-2017-14420)
  • WAN && LAN - Stunnel private keys  (CVE-2017-14422)
  • WAN && LAN - Nonce brute forcing for DNS configuration  (CVE-2017-14423)
  • Local - Weak files permission and credentials stored in clear text  (CVE-2017-14424, CVE-2017-14425, CVE-2017-14426, CVE-2017-14427, CVE-2017-
    14428)
  • LAN – DoS attack against some daemons  (CVE-2017-14430)
  • Security fixes to PHP CGI files to mitigate exposing credentials
  • Correct stack overflow vulnerability caused by HNAP
« Last Edit: October 06, 2017, 11:12:51 AM by GreenBay42 »
Logged

heartsofwar

  • Guest
Re: Firmware 1.20B02 Released - SECURITY PATCH
« Reply #1 on: October 11, 2017, 02:03:00 PM »

Can someone post what 1.15 firmware fixes?

Again, D-Link baffles me... We have been stuck on 1.12 / 1.13 for months and then all of a sudden we are told there is a 1.20, but you can't update to it directly, you must update to 1.15; however, you can't download 1.15 directly... only 1.20!

D-link... please... get your crap straight... as it stands, I won't buy another d-link so long as I live. If it weren't for the fact I spent $400 on this damn router and that it'll cost me another $400 to replace, I would have jumped ship by now.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Firmware 1.20B02 Released - SECURITY PATCH
« Reply #2 on: October 11, 2017, 02:18:41 PM »

v1.15 is a transitional version of FW that needs to be applied before going to v1.20 is all. All other versions of FW after v1.13 and between v1.15 and v1.19 is not valid and not official releases for general public.

if your not happy with it then you could find someone got sell it too. Good Luck.


Can someone post what 1.15 firmware fixes?

Again, D-Link baffles me... We have been stuck on 1.12 / 1.13 for months and then all of a sudden we are told there is a 1.20, but you can't update to it directly, you must update to 1.15; however, you can't download 1.15 directly... only 1.20!

D-link... please... get your **** straight... as it stands, I won't buy another d-link so long as I live. If it weren't for the fact I spent $400 on this damn router and that it'll cost me another $400 to replace, I would have jumped ship by now.
« Last Edit: October 11, 2017, 02:24:54 PM by FurryNutz »
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

GreenBay42

  • Administrator
  • Level 11 Member
  • *
  • Posts: 2752
Re: Firmware 1.20B02 Released - SECURITY PATCH
« Reply #3 on: October 11, 2017, 02:31:58 PM »

Firmware 1.15 fixes are combined with the 1.20 fixes in the release notes. They are packaged together and both need to be upgraded to fix the security exploits. Once you install 1.15 the 1.20 firmware is available through the GUI but I would just install the 1.20 as stated in the instructions in the ZIP file.
Logged

Tario70

  • Level 2 Member
  • **
  • Posts: 58
Re: Firmware 1.20B02 Released - SECURITY PATCH
« Reply #4 on: October 16, 2017, 04:34:30 PM »

I can't get 1.20B02 to even install.

1.15 installed without issue from the router update page (downloaded the file from the D-Link Support page). When I select the 1.20B02 bin file from the router upgrade page I get pushed to the "http://ipaddress/fwupload.cgi" page & then I get a bunch of HTML.

Here's the HTML I get:
Quote
27f

<html>
   <head>
      <meta http-equiv="Pragma" content="no-cache"> <!--for HTTP 1.1-->
      <meta http-equiv="Cache-Control" content="no-cache"> <!--for HTTP 1.0-->
      <meta http-equiv="Expires" content="0"> <!--prevents caching at the proxy server-->
      <script type="text/javascript" charset="utf-8" src="/js/initialJQ.js"></script>
      <script type="text/javascript" charset="utf-8" src="/js/initialJS.js"></script>
      <script type="text/javascript" charset="utf-8" src="/js/initialCSS.js"></script>
      <script type="text/javascript">
         self.location.href = "UpdateFirmware.html?UpdateResult=SUCCESS";
      </script>
   </head>
   <body>
   </body>
</html>
0

Will try to do the update right from the update page & download the update from d-link. One problem I've noticed it 1.15 seems to have an October date on it while 1.20 has a September date on it. Not sure if that's an issue.
Logged

Tario70

  • Level 2 Member
  • **
  • Posts: 58
Re: Firmware 1.20B02 Released - SECURITY PATCH
« Reply #5 on: October 16, 2017, 04:38:49 PM »

Also, as a follow up.

I know the thread here says we should "hard reset" after install. Can we restore our settings after that?
Logged

Tario70

  • Level 2 Member
  • **
  • Posts: 58
Re: Firmware 1.20B02 Released - SECURITY PATCH
« Reply #6 on: October 16, 2017, 04:53:48 PM »

Final Update.

Manually updated to 1.15 without issue, but could not manually update to 1.20.

Used the "download & update" feature on the upgrade page to download & update to 1.20 via that. The update installed & then I reset the router & restored to my saved settings.

Everything looks good.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Firmware 1.20B02 Released - SECURITY PATCH
« Reply #7 on: October 16, 2017, 05:37:22 PM »

Glad you got it installed. Enjoy.
 ;)
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

stefan063

  • Level 1 Member
  • *
  • Posts: 1
Re: Firmware 1.20B02 Released - SECURITY PATCH
« Reply #8 on: November 01, 2017, 05:50:46 AM »

QoS works very bad. And there is no IP on QoS priority tabs of devices.
Logged

GreenBay42

  • Administrator
  • Level 11 Member
  • *
  • Posts: 2752
Re: Firmware 1.20B02 Released - SECURITY PATCH
« Reply #9 on: November 01, 2017, 06:38:03 AM »

Explain "QoS works very bad".
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Firmware 1.20B02 Released - SECURITY PATCH
« Reply #10 on: November 01, 2017, 09:40:22 AM »

Link>Welcome!

  • What region are you located?
  • Are you wired or wireless connected to the router?
  • Has a Factory Reset been performed?
  • Was a Factory Reset performed before and after any firmware updates then set up from scratch?
  Link> >FW Update Process
  • Was the router working before any firmware updates?

Internet Service Provider and Modem Configurations
  • What ISP Service do you have? Cable or DSL?
  • What ISP Modem Mfr. and model # do you have?


QoS works very bad. And there is no IP on QoS priority tabs of devices.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

Chresine

  • Level 1 Member
  • *
  • Posts: 5
Re: Firmware 1.20B02 Released - SECURITY PATCH
« Reply #11 on: November 08, 2017, 08:25:38 PM »

How does one restore the saved settings after a FW upgrade?
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Firmware 1.20B02 Released - SECURITY PATCH
« Reply #12 on: November 08, 2017, 09:18:08 PM »

Don't, set up from scratch after doing one factory reset after the FW loads. Once you've set it up. Do a new save config to file
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

GreenBay42

  • Administrator
  • Level 11 Member
  • *
  • Posts: 2752
Re: Firmware 1.20B02 Released - SECURITY PATCH
« Reply #13 on: November 09, 2017, 06:49:08 AM »

I agree with Furry. It is better to start from scratch, but personally i am the guy resetting the device after every firmware upgrade.

The process of saving and restoring config files --> http://support.dlink.com/faq.aspx?f=950&m=DIR-895L/FAQView.aspx?f=JVafnVwDPIEgtBuep0b0QQ%3d%3d
Logged