• March 31, 2020, 07:33:47 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: DWR-xxx, DIR-140L/640L sequenced Command Exe security vulnerabilities  (Read 1062 times)

GreenBay42

  • Administrator
  • Level 10 Member
  • *
  • Posts: 2435

For latest information, go to https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10093



On October 12, 2018, a 3rd-Party security researcher from Silesian University of Technology publicly disclosed three vulnerabilities that maybe used in combination to gain configuration access to some D-Link products.

D-Link is aware of the report alleged by the 3rd-party, and are in the process validating the claims stated in the report.

D-Link believes the 3rd-Party did misrepresent the vulnerabilities by broadly using the term "remote".  The attacks described in the 3rd-Party Report require the device to respond to HTTP requests.  These services are not available on the WAN-port (meaning Internet connection side) of D-Link Devices as default.  This means that the attacks described in the report are limited to the LAN-side (Local or In-home connections) which narrows the potential threat since the attack would need to start from a malicious user connected to the device on the LAN-side.

D-Link will continue to investigate and release updated information as it becomes available.

Products accused (go to the link at the top to view status and firmware):
  • DWR-111
  • DWR-116
  • DWR-512
  • DWR-712
  • DWR-912
  • DWR-921
  • DIR-140L
  • DIR-640L
Logged