D-Link Forums
D-Link Wireless Routers for Home and Small Business => Information => Archive => Topic started by: ReverendTed on April 09, 2014, 11:50:14 AM
-
Does the Heartbleed vulnerability in OpenSSL impact DCS-series IP cameras?
If so, is a fix planned?
Was this related to the recent firmware security update issued for several of the cameras?
Update 04/11/2014: The following reply was posted by an admin and contains a link to the D-Link "Heartbleed OpenSSL Vulnerability Security Publication" that lists all affected D-Link products and the status of any necessary fixes:
Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed. We will continue to update this page to include the relevant product firmware updates addressing these concerns.
Some information can now be found on our Security Advisories site with more updates on which products are affected coming soon.
D-Link Security Advisories
http://securityadvisories.dlink.com/security/ (http://securityadvisories.dlink.com/security/)
Heartbleed OpenSSL Vulnerability Security Publication
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10022 (http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10022)
Also: XKCD had a fun little strip that explains the vulnerability in very simple terms (http://www.xkcd.com/1354/). (Typical missing bounds check overrun vulnerability.)
-
Good question. I've already asked D-Link and will let you know what I find out. ;)
-
Yes, WE will! ;D
Please be patient while we wait for information.
If users are concerned about this issue, we recommend immediately phone contacting your regional D-Link support office and ask for help and information. We find that phone contact has better immediate results over using email.
-
Was this related to the recent firmware security update issued for several of the cameras?
No. That was related to generating a self signed certificate.
Link
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10010
-
http://www.dslreports.com/shownews/Researchers-Reveal-Devastating-Heartbleed-OpenSSL-Bug-128478 (http://www.dslreports.com/shownews/Researchers-Reveal-Devastating-Heartbleed-OpenSSL-Bug-128478)
-
Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed. We will continue to update this page to include the relevant product firmware updates addressing these concerns.
More detailed information can be found on our Security Advisories website with more updates on which products are affected coming soon.
D-Link Security Advisories
http://securityadvisories.dlink.com/security/ (http://securityadvisories.dlink.com/security/)
Heartbleed OpenSSL Vulnerability Security Publication
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10022 (http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10022)
-
Whoa. I've...I've never actually seen an Admin!
Also, thanks for the update. I've updated my first post in this thread with your reply, to make it easier for other concerned parties to find it.
Also also: XKCD had a fun little strip that explains the vulnerability in very simple terms (http://www.xkcd.com/1354/). (Typical missing bounds check overrun vulnerability.)
-
Encouraging to see that so far no D-Link products have been found to be affected, though the DCS-series cameras are still listed as "Under Investigation" as of 4/16/2014.
-
D-Link published that the Heartbleed Bug does not affect to the following services/applications:
- mydlink cloud portal and service
- mydlink iOS Mobile Applications (All Versions)
- mydlink Android Mobile Applications (All Versions)
OpenSSL Security Vulnerability - aka. "Heartbleed Bug" - CVE-2014-0160 - Security Incident Response for D-Link Devices and Services (http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10022)
-
Update: D-Link published that the Heartbleed Bug does not affect to the following hardware/services/applications:
- D-Link Cloud Cameras (Exception: DCS-940L is under investigation)
- D-Link ShareCenters (Exception: DNS-327L FW v1.01, Fix in development)
- D-Link Network Video Recorders
- mydlink cloud portal and service
- mydlink iOS Mobile Applications (All Versions)
- mydlink Android Mobile Applications (All Versions)
OpenSSL Security Vulnerability - aka. "Heartbleed Bug" - CVE-2014-0160 - Security Incident Response for D-Link Devices and Services (http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10022)
-
;D