D-Link Forums

The Graveyard - Products No Longer Supported => IP Cameras => DCS-930L => Topic started by: GreenBay42 on December 13, 2017, 07:18:13 AM

Title: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: GreenBay42 on December 13, 2017, 07:18:13 AM
A security patch has been released for revision B only.

EDIT: Firmware is no longer BETA. Officially released on Jan 23, 2018

Firmware --> ftp://FTP2.DLINK.COM/PRODUCTS/DCS-930L/REVB/DCS-930L_REVB_FIRMWARE_v2.15.06.zip (ftp://FTP2.DLINK.COM/PRODUCTS/DCS-930L/REVB/DCS-930L_REVB_FIRMWARE_v2.15.06.zip)

Release Notes:

Reported:
Reported on 09/06/2017 by Robin Stenvi (robin dot stenvi at protomail dot com)

The following affects firmware versions 2.14.04 and below.

Problems Fixed:
1. Cross-Site Request Forgery (CSRF) which may lead to configuration information exposure.
2. Denial of Service (DoS) in the cameras CGI web framework that may lead to the camera becoming unresponsive.
3. Adobe Flash Player configuration resulting in an unintentional Cross-Origin Resource Sharing misconfiguration that my lead to further malicious attacks on the camera.

New Features:
1. Upgrade mydlink agent to 2.2.0-b03
2. Change the system default date to 2017/01/01
3. Update the ActiveX and Java Applet with renewed code-signing certificate (validity period of the certificate is from 9/30/2016 to 10/1/2019).
4. Support digest authentication for Web UI
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: jasred on January 15, 2018, 10:58:22 AM
I think there may be things wrong with this version. After installing on 3 cams, two of them would no longer authenticate via curl. This version also does not work with Firefox (unless you use a user-agent switcher), and it requires IE on windows...
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: FurryNutz on January 15, 2018, 12:09:41 PM
CURL may have been something that wasn't officially supported or a security issue so D-Link may have closed that door.

Try using FF ESR for connecting to the cameras. Newer versions of FF standard have stopped supporting plug-ins so may not work correctly:
http://forums.dlink.com/index.php?topic=66483.0
 (http://forums.dlink.com/index.php?topic=66483.0)
I think there may be things wrong with this version. After installing on 3 cams, two of them would no longer authenticate via curl. This version also does not work with Firefox (unless you use a user-agent switcher), and it requires IE on windows...
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: jasred on January 15, 2018, 12:49:37 PM
CURL may have been something that wasn't officially supported or a security issue so D-Link may have closed that door.


The problem with that theory is they didn't seem to close the door for all three cams that I upgraded so I can't take that to the bank.
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: FurryNutz on January 15, 2018, 12:52:29 PM
So you have a camera that still authenticates via CURL then?
What was the process you followed for updating FW? Was any resets performed?
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: jasred on January 15, 2018, 12:57:05 PM
So you have a camera that still authenticates via CURL then?
What was the process you followed for updating FW? Was any resets performed?

Correct, one camera works with curl.

Your second question may point to something. I used FF to do the upgrades and
maybe that caused an issue. I will try one of the cams that fails with curl and use
IE for the upgrade (wired connection of course). I'll let you know.

Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: FurryNutz on January 15, 2018, 01:03:50 PM
 ;)

What version of FF did you use?
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: jasred on January 15, 2018, 01:17:54 PM
;)

What version of FF did you use?

Win 10  and FF 57.0.4 64 bit

Using IE did not work. The same problem.

I also noticed that 2.14.04 seemed to upgrade nicely with a message at the end
that states "Firmware upgrade completed". The new firmware just displays a "reply"
web page.

Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: FurryNutz on January 15, 2018, 01:41:29 PM
Reply?

Can you post a picture if what you see with the v2.15 FW update message?
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: jasred on January 15, 2018, 01:48:20 PM
Reply?

Can you post a picture if what you see with the v2.15 FW update message?

Sorry, I may have been too glib. It's not a reply web page per se, it tries to display
a page, but gives you a error page instead. The page shows "The website declined to show this webpage".
The page that it was trying to display is "replyk.htm".
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: FurryNutz on January 15, 2018, 01:49:26 PM
Hmm, this in FF and IE?

Did you clear out the browser cache before and after sending the FW file?
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: jasred on January 15, 2018, 01:58:15 PM
Hmm, this in FF and IE?

Did you clear out the browser cache before and after sending the FW file?

Yes, both FF and IE display that last page problem.

No, to the cache clearing question. I have never had to do that before and I've been
doing stuff like this for years.
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: FurryNutz on January 15, 2018, 02:02:09 PM
Can you try a factory reset, on one camera the do the cache clear on either browser and see if same thing still happens.

Are these cameras wired or wireless connected when FW updates happen?

I'll pass this on to D-Link for review. Not sure what is happening.
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: jasred on January 15, 2018, 02:08:48 PM
Can you try a factory reset, on one camera the do the cache clear on either browser and see if same thing still happens.

Are these cameras wired or wireless connected when FW updates happen?

I'll pass this on to D-Link for review. Not sure what is happening.

I actually had done a factory reset on one of them that fails.

I will try the cache clearing test tomorrow and let you know.

I always use wired connections when applying firmware.

Thanks for passing this on...
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: GreenBay42 on January 15, 2018, 02:17:17 PM
After the firmware upgrade can you get into the camera's UI without issue?  If not can you ping the camera?
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: jasred on January 15, 2018, 02:24:12 PM
After the firmware upgrade can you get into the camera's UI without issue?  If not can you ping the camera?

Yes, pinging works fine and the UI works, but only in IE, not FF after this upgrade.
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: FurryNutz on January 15, 2018, 02:26:55 PM
Did you try FF ESR?
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: jasred on January 15, 2018, 02:32:35 PM
Did you try FF ESR?

Not yet. I'll have to research it before using it. I'll let you know.
Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: jasred on January 15, 2018, 03:43:06 PM
One more thing that may or may not be important. The firmware that I downloaded and used for the upgrades was from here:
http://support.dlink.com/ProductInfo.aspx?m=DCS-930L
I did not use the FTP link that is in the OP's first post.

Title: Re: DCS-930L Rev B - Security Patch Firmware - v2.15B06 Released
Post by: FurryNutz on January 15, 2018, 05:21:04 PM
One in same...