Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment.
January 30, 2013 UPDATE:
At the current time D-Link deploys firmware that has UPnP feature support on our devices. The UPnP features are enabled by software developer kits - Intel, Portable, and miniUPnP.
Recently, it has been discovered that the following UPnP versions may have a security vulnerability that could cause devices to become unstable, impair functionality, or disclose the services the devices offers (i.e. network camera feed):
- All Versions of Intel SDK
- Version of Portable SDK prior to V. 1.6.18
- Version of MiniUPnP SDK prior to V. 1.1
Security and performance is of the utmost importance to D-Link across all product lines, including networking, surveillance, storage and entertainment solutions.
The company is currently assessing the recent findings surrounding UPnP technology and whether any D-Link products are susceptible to vulnerabilities. If any action is needed, D-Link will provide information online at www.dlink.com/upnp
We are currently updating our Vendor responses at US-CERT (US Computer Emergency Readiness Team) for the support CVEs (Common Vulnerabilities and Exposures).
We also discourage the use of industry-available tools available to the public because of the number of false-negatives and false-positives. This potential vulnerability is complex and requires deeper inspection and replacement of the recommend SDK stated in the CVEs.
The following is a current status of D-Link SKUs being assessed based on the recent security vulnerability:
| Unaffected SKUs |
Status |
| DIR-605L |
No Action Required. |
| DCS-930L |
|
| DCS-932L |
|
| DCS-942L |
|
| DCS-1100 |
|
| DCS-1130L |
|
| DCS-2102 |
|
| DCS-2121L |
|
| DCS-2132L |
|
| DCS-5211L |
|
| DCS-5222L |
| Active Affected SKUs |
Status |
| DIR-626L |
D-Link will release an updated firmware that will close this potential vulnerability.
We will provide the release schedule as it becomes available. For users concerned about this vulnerability there is an immediate option to disable the UPnP feature in the device by following the steps noted below.
|
| DIR-636L | |
| DIR-826L | |
| DIR-836L | |
| DCS-2103 | |
| DCS-2130 | |
| DCS-2210 | |
| DCS-2230 | |
| DCS-3710B1 | |
| DCS-6510 | |
| DCS-6511 |
| End of Life* Affected SKUs |
Status |
| DIR-100 |
We recommend users disable UPnP on the product by following the steps noted below.
*Products generally do not receive software updates after they are announced as End of Life and no longer under support and warranty periods.
|
| DIR-120 | |
| DIR-524UP | |
| DIR-524UPM | |
| DIR-604+ | |
| DIR-604UP | |
| DIR-604UPM | |
| DIR-624S | |
| WBR-1320 |
Customers that want to disable UPnP in the affected products can do so by following these steps:
Current Solution for Affected Products by Disabling UPnP
Step 1: In your web browser, open and log in to the device web configuration page - For routers the default URL is:
http://dlinkrouter.local or http://192.168.0.1
Step 2: Click on the Advanced tab at the top and then click on Advanced Network on the left-hand side.
Step 3: Under the UPnP Settings section, uncheck the disabled UPnP buttons to disable UPnP on the device
Step 4: Click Save Settings at the top to apply the settings.
*** Please note that disabling UPnP might adversely affect features and capabilities of the device and/or supporting applications or devices connecting to these products.