• September 19, 2019, 06:52:59 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: Revoked Certificate when viewing mydlink IP Cameras with-in web-browsers  (Read 6480 times)

GreenBay42

  • Administrator
  • Level 10 Member
  • *
  • Posts: 2169

Read here for the latest on this issue and a workaround until firmware gets released - https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10089

Scroll to the bottom for questions and answers.

D-Link recently discovered that two of its code signing certificates were misappropriated. Upon discovery, we immediately decommissioned the certificates and investigated the issue. Like several other companies in Asia, D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong. The two affected D-Link certificates were revoked, effective July 3rd, 2018. New certificates have been issued to resolve this problem.

Note: Unfortunately several products have been delayed.



Affected Products

DCS-930L - Rev A - No update will be available

DCS-930L - Rev B - ftp://FTP2.DLINK.COM/PRODUCTS/DCS-930L/REVB/DCS-930L_REVB_FIRMWARE_v2.16.01.zip (7/24/18)

DCS-931L - Rev A - ftp://FTP2.DLINK.COM/PRODUCTS/DCS-931L/REVA/DCS-931L_REVA_FIRMWARE_v1.15.01.zip (6/17/19)

DCS-932L - Rev A - No update will be available

DCS-932L - Rev B - ftp://FTP2.DLINK.COM/PRODUCTS/DCS-932L/REVB/DCS-932L_REVB_FIRMWARE_v2.17.01.zip (7/24/18)

DCS-933L - Rev A - ftp://FTP2.DLINK.COM/PRODUCTS/DCS-933L/REVA/DCS-933L_REVA_FIRMWARE_v1.15.01.zip (6/17/19)

DCS-934L - Rev A- ftp://FTP2.DLINK.COM/PRODUCTS/DCS-934L/REVA/DCS-934L_REVA_FIRMWARE_1.06.02.zip (6/17/19)

DCS-935L (US version) - Rev A1

DCS-960L - Rev A

DCS-5000L (non-US) - Rev A - ftp://FTP2.DLINK.COM/PRODUCTS/DCS-5000L/REVA/DCS-5000L_REVA_FIRMWARE_v1.04.01.zip (7/31/18)

DCS-5009L - Rev A - ftp://FTP2.DLINK.COM/PRODUCTS/DCS-5009L/REVA/DCS-5009L_REVA_FIRMWARE_v1.09.12.zip (12/19/18)

DCS-5010L - Rev A - ftp://FTP2.DLINK.COM/PRODUCTS/DCS-5010L/REVA/DCS-5010L_REVA_FIRMWARE_v1.15.12.zip (12/20/18))

DCS-5020L - Rev A - ftp://FTP2.DLINK.COM/PRODUCTS/DCS-5020L/REVA/DCS-5020L_REVA_FIRMWARE_v1.15.12.zip (7/25/18)

DCS-5025L - Rev A - ftp://FTP2.DLINK.COM/PRODUCTS/DCS-5025L/REVA/DCS-5025L_REVA_FIRMWARE_v1.04.02.zip (6/13/19)

DCS-5029L - RevA - http://legacyfiles.us.dlink.com/DCS-5029L/REVA/FIRMWARE/DCS-5029L_REVA_FIRMWARE_1.15.05.zip (7/11/19)

DCS-5030L - Rev A - ftp://FTP2.DLINK.COM/PRODUCTS/DCS-5030L/REVA/DCS-5030L_REVA_FIRMWARE_v1.05.17.zip (10/31/18)

DCS-6004L - Rev A2 - http://legacyfiles.us.dlink.com/DCS-6004L/REVA/FIRMWARE/DCS-6004L_REVA_FIRMWARE_1.04.31_WW.zip (8/12/19)

DCS-6005L - Rev A1

DCS-6045L - Rev A



DNR-202L - Rev A - ftp://FTP2.DLINK.COM/PRODUCTS/DNR-202L/REVA/DNR-202L_REVA_FIRMWARE_v2.05.07_BETA.zip (2/22/19)

DNR-312L - Rev A - ftp://FTP2.DLINK.COM/PRODUCTS/DNR-312L/REVA/DNR-312L_REVA_FIRMWARE_v1.07.10.zip (8/14/18)

DNR-322L - Rev A - ftp://FTP2.DLINK.COM/PRODUCTS/DNR-322L/REVA/DNR-322L_REVA_FIRMWARE_v2.60B15_BETA.zip (3/5/19)

DNR-322L - Rev B

DNR-2020-04P (non-US) - Rev A - ftp://FTP2.DLINK.COM/PRODUCTS/DNR-2020-04P/REVA/DNR-2020-04P_REVA_FIRMWARE_v1.02.07.zip (7/31/18)

DNR-326 - Rev A - ftp://FTP2.DLINK.COM/PRODUCTS/DNR-326/REVA/DNR-326_REVA_FIRMWARE_v2.70B04_BETA.zip (3/5/19)



Q: What is the function of a code signing certificate?

A: When customers go to a physical reputable store to buy a product, based on the inspection of the packaging of the product, they know who manufactured the product and whether the package has been opened. Similarly, when customers obtain software programs on-line, a program signed with a code signing certificate issued through a trusted third-party certification company indicates to the customers that the programs are legitimate, genuine, and have not been modified.


Q: Why did D-Link revoke the certificates?

A: D-Link recently discovered that two of its code signing certificates were misappropriated. Upon this discovery, we investigated the issue including immediately contacting our third-party certification company to revoke the two affected D-Link certificates on July 3rd, 2018 to prevent any further misuse. That is, after the date of revocation, any programs signed with either of the revoked certificates are illegally using the revoked certficate and are no longer valid. Accordingly, Windows operating systemís automatic security mechanism will prohibit the execution of such illegal software.


Q: Do D-Link software have viruses or security vulnerabilities?

A: No, this issue pertains to the certificate being misappropriated by an unauthorized user, and does not concern D-Link software being infected with a virus or compromised due to security vulnerabilities.


Q: Does the revocation of the D-Link certificates affect customers using D-Link software? Do I need to update my software?

A: Affected D-Link software is limited to D-Link's Java web applications that were created with the revoked certificate.  An affected application will report that it's certificate has been revoked and will not run the application in both Microsoft Windows or Apple OSx/macOS operating systems. These revoked certificates will not affect the use of the mydlink mobile applications. We will be updating the affected Java web application which will require users to install this new application.
« Last Edit: August 12, 2019, 07:56:36 AM by GreenBay42 »
Logged