Overview

D-Link recommends all network attached storage and network video recorders be connected behind an adequate firewall system that restricts access to local LAN only. Until report is completely verified and patches available if necessary, we do not recommend exposing these D-Link device to internet traffic.

A 3rd party has performed an independent security assessment on D-Link storage devices. The report has identified unique vulnerabilities in these product using the public available firmware classified as:

• Authentication can be bypassed.
• Some implemented security features may introduce command injection exploits.
• Unauthenticated file upload.
• Default users (root, nobody) can be used during authentication, and the administrator cannot change the default (empty) password of these users from the device web GUI.

References

• SEARCH-LAB :: Link :: Disclosure May 27, 2015
• SEARCH-LAB :: Link :: Original Report :: Initially July 30, 2014
• CVE-2014-7857 :: Authentication bypass vulnerability
• CVE-2014-7858 :: Check_login bypass vulnerability in DNR-326
• CVE-2014-7859: Buffer overflow in login_mgr.cgi and in file_sharing.cgi
• CVE-2014-7860: Unauthenticated photo publish

Description

The 3rd party has published details in a full report lined in the Reference section. In order to maintain authenticity of the report we recommend any questions be directed toward the 3rd party at this time.

Recommendations 

We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.  We will continue to update this page to include the relevant product firmware updates addressing these concerns. Please continue to monitor this page for further updates and disclosures. 

All devices on your network should have log-in credentials. If your network has Wi-Fi, please make sure WiFi encryption-keys are enabled. For devices that cannot notify the owner of a new software updates, check for updates from the devices manufacture. For D-Link devices you can find them at http://www.dlink.com/support.  

Immediately update to the patched firmware referenced in the table below once they are made available. Please continue to monitor this page for further updates and disclosures. 

D-Link recommends that all PCs (Window or Mac) be up-to-date and scanned for virus, bots, or other damaging software that could compromise the network they are connected. 

Wi-Fi encryption reduces the risk to this vulnerability if the device Web-GUI is accessed over Wi-Fi. If Wi-Fi network was encrypted, the malicious user would also need to compromise the Wi-Fi encryption, or PC using the Web-GUI utility, in order to monitor the traffic and intercept the cookie.  

The default configuration of D-Link's devices is to provide simple installation, ease of usability, and offer widest interoperability. D-Link reminds customers to configure their devices specifically to  and for security concerns within their network infrastructure. In General, D-Link recommends disabling services not being used, changing/securing device log-in credentials, enabling Wi-Fi encryption, monitoring the routers log files, and access-lists for your devices so security risks for your entire network are minimised. 

Affected Product 

Model Name	HW Version	Vulnerable FW Versions	Current FW Versions   (include fixes)
DNS-320L/LW	Rev. Ax	Rev. Ax :: F/W ver. 1.03b04 and below	F/W. ver 1.04b12  Partial Patch F/W. ver. 1.05 Under development with estimated release date of 14/08/2015 (Updated 13/07/2015)
DNR-322L	Rev. Ax	Rev. Ax :: F/W ver.2.00b07 and below	F/W. ver. 2.4 (Updated 01/10/2015)
DNR-326	Rev. Ax	Rev. Ax :: F/W ver.1.40b03 and below	F/W. ver. 2.4 (Updated 01/10/2015)
DNR-327L	Rev. Ax	Rev. Ax :: F/W ver.1.02 and below	F/W. ver. 1.04 Under development with estimated release date of 21/08/2015 (Updated 13/07/2015)

Security patch for your D-Link Devices

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.