For latest information, go to
https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10093
On October 12, 2018, a 3rd-Party security researcher from Silesian University of Technology publicly disclosed three vulnerabilities that maybe used in combination to gain configuration access to some D-Link products.
D-Link is aware of the report alleged by the 3rd-party, and are in the process validating the claims stated in the report.
D-Link believes the 3rd-Party did misrepresent the vulnerabilities by broadly using the term "remote". The attacks described in the 3rd-Party Report require the device to respond to HTTP requests. These services are not available on the WAN-port (meaning Internet connection side) of D-Link Devices as default. This means that the attacks described in the report are limited to the LAN-side (Local or In-home connections) which narrows the potential threat since the attack would need to start from a malicious user connected to the device on the LAN-side.
D-Link will continue to investigate and release updated information as it becomes available.
Products accused (go to the link at the top to view status and firmware):
- DWR-111
- DWR-116
- DWR-512
- DWR-712
- DWR-912
- DWR-921
- DIR-140L
- DIR-640L
Author
Topic: DWR-xxx, DIR-140L/640L sequenced Command Exe security vulnerabilities (Read 5991 times)