Overview

D-Link was presented with a report of three potential vulnerabilities in DIR-820L by a third-party who conducted security penetration tests. Although this model is not available in the European region, as part of D-Link’s continuing efforts of resolving security issues, D-Link expanded its investigation to DIR-626L/DIR-636L/DIR-810L/DIR-826L.  First vulnerability reportedly relates to a malicious user who might be connected to the LAN-side of the device to use the devices upload utility to load malicious code without authentication.  A second vulnerability reportedly relates to the device’s ping utility that might permit command injection without authentication.  A third vulnerability reportedly may exploit certain chipset utilities in firmware to potentially permit a malicious user an attack disclosing information about the devices configuration.

References

Peter Adkins :: <[email protected]> :: Link :: Initially January 11, 2015

Swisscom CSIRT :: CVE-2015-1187 :: Link  /  Packet Storm :: Link  Initially March 2, 2015

Description

A reference or a link to the original report by the third-party author is provided above.  This third-party’s report is not created by D-Link.  We encourage you to reference the third-party’s original post and contact the author if you have any questions about the vulnerability.

Please note these vulnerabilities may present potential LAN-Side or in-home risks.  The affected devices have a feature, which is default off/disabled, that allows remote administrative access. If the user turns this feature on/enabled, they may potentially put the device at risk to these attacks from the outside/internet.

In addition, some of these reported vulnerabilities require observing a LAN-Side user or tricking a user browser to gain access. To observe a user configuring the device, requires access to your home network or the use of other security exploits of other home network devices, like your personal computer, tablets, mobile phones, not related to the device.

1. Local network; unauthenticated access

• Uploading malicious code that unchecked by fwupgrade.ccp
• Command Injection of malicious code that is unchecked by ping.ccp
• Command injection of malicious code using chipset vendor included SDK utilities embedded in firmware resulting in information disclosure of device configuration

2. Remote network; unauthenticated access

• 1a, 1b, 1c can be used by a malicious user if end-user enabled remote configuration, which is default is disabled

3) Remote network; 'drive-by' via CSRF.

• 1a, 1b, 1c attacks can be attempted if a malicious user can obtain access to the LAN-Side of the device or trick the user's browser to attack the device from the LAN-side.

Recommendations

Disable remote administrative access and/or verify the device’s remote administrative access feature is disabled.

Check router device history for any unauthorised access.

All devices on your network should have log-in credentials and if your network has Wi-Fi, please make sure Wi-Fi encryption-keys are enabled. Also for devices that cannot notify the owner of a new software updates, check for updates from the devices manufacture.

Immediately update to the fixed firmware referenced in the table below as they are made available. Please continue to monitor this page for further updates and disclosures.

D-Link recommends that your D-Link router remote network management feature be disabled (factory default is disabled) to mitigate a malicious remote user using this vulnerability to exploit your router.  If remote network management is disabled, a malicious user would require to be on the local network side of the router or have compromised another device on the network that could be used to attack the router.

D-Link recommends that all PCs (Window or Mac) be up-to-date and scanned for virus, bots, or other damaging software that could compromise the network they are connected.

Wi-Fi encryption reduces the risk to this vulnerability if the device Web-GUI is accessed over Wi-Fi. If Wi-Fi network was encrypted, the malicious user would also need to compromise the Wi-Fi encryption, or PC using the Web-GUI utility, in order to monitor the traffic and intercept the cookie.

The default configuration of D-Link's routers is to provide simple installation, ease of usability, and offer widest interoperability. D-Link Europe reminds customers to configure their devices specifically to  and for security concerns within their network infrastructure. In General, D-Link Europe recommends disabling services not being used, changing/securing device log-in credentials, enabling Wi-Fi encryption, monitoring the routers log files, and access-lists for your devices so security risks for your entire network are minimised.

Affected Product

Model: DIR-626L
HW version: Ax
Vulnerable FW versions: v1.04b04_beta and before
Status:
The new firmware 1.05b01_beta that fixes the security vulnerabilities
DIR-626L Revision A 1.05b01_beta
Please note: please unzip the file and use the file DIR626LA1_FW105B01.bin to update firmware.

Model: DIR-636L
HW version: Ax
Vulnerable FW versions: v1.04 and before
Status:
The new firmware 1.05b09_beta that fixes the security vulnerabilities
DIR-636L Revision A 1.05b09_beta
Please note: please unzip the file and use the file DIR636LA1_FW105B09.bin to update firmware.

Model: DIR-810L
HW version: Ax
Vulnerable FW versions: Rev. Ax: v1.01b04 and before
Status:
The new firmware 1.03b01_beta that fixes the security vulnerabilities
DIR-810L Revision A 1.03b01_beta
Please note: please unzip the file and use the file DIR810LA1_FW103B01.bin to update firmware.

Model: DIR-810L
HW version: Bx
Vulnerable FW versions: Rev. Bx: v2.02b01 and before
Status: 
The new firmware 2.04b01_beta that fixes the security vulnerabilities
DIR-810L Revision B 2.04b01_beta
Please note: please unzip the file and use the file DIR810LB1_FW204B01.bin to update firmware. 

Model: DIR-826L
HW version: Ax
Vulnerable FW versions: v1.00b23 and before
Status:
The new firmware 1.06b01_beta that fixes the security vulnerabilities
DIR-826L Revision A 1.06b01_beta
Please note: please unzip the file and use the file DIR826LA1_FW106B01.bin to update firmware.

Security patch for your D-Link Devices

These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration