D-Link Forums

Announcements => Security Advisories => Topic started by: GreenBay42 on October 26, 2018, 01:03:16 PM

Title: DWR-xxx, DIR-140L/640L sequenced Command Exe security vulnerabilities
Post by: GreenBay42 on October 26, 2018, 01:03:16 PM
For latest information, go to https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10093 (https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10093)

On October 12, 2018, a 3rd-Party security researcher from Silesian University of Technology publicly disclosed three vulnerabilities that maybe used in combination to gain configuration access to some D-Link products.

D-Link is aware of the report alleged by the 3rd-party, and are in the process validating the claims stated in the report.

D-Link believes the 3rd-Party did misrepresent the vulnerabilities by broadly using the term "remote".  The attacks described in the 3rd-Party Report require the device to respond to HTTP requests.  These services are not available on the WAN-port (meaning Internet connection side) of D-Link Devices as default.  This means that the attacks described in the report are limited to the LAN-side (Local or In-home connections) which narrows the potential threat since the attack would need to start from a malicious user connected to the device on the LAN-side.

D-Link will continue to investigate and release updated information as it becomes available.

Products accused (go to the link at the top to view status and firmware):