UPnP 

Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment.

January 30, 2013 UPDATE:


At the current time D-Link deploys firmware that has UPnP feature support on our devices. The UPnP features are enabled by software developer kits - Intel, Portable, and miniUPnP.

Recently, it has been discovered that the following UPnP versions may have a security vulnerability that could cause devices to become unstable, impair functionality, or disclose the services the devices offers (i.e. network camera feed):

  • All Versions of Intel SDK
  • Version of Portable SDK prior to V. 1.6.18
  • Version of MiniUPnP SDK prior to V. 1.1

Security and performance is of the utmost importance to D-Link across all product lines, including networking, surveillance, storage and entertainment solutions.

The company is currently assessing the recent findings surrounding UPnP technology and whether any D-Link products are susceptible to vulnerabilities.  If any action is needed, D-Link will provide information online at www.dlink.com/upnp
 
We are currently updating our Vendor responses at US-CERT (US Computer Emergency Readiness Team) for the support CVEs (Common Vulnerabilities and Exposures).

We also discourage the use of industry-available tools available to the public because of the number of false-negatives and false-positives. This potential vulnerability is complex and requires deeper inspection and replacement of the recommend SDK stated in the CVEs.

The following is a current status of D-Link SKUs being assessed based on the recent security vulnerability: 

 

Unaffected SKUs
Status
DIR-605L
No Action Required.
DCS-930L
DCS-932L
DCS-942L
DCS-1100
DCS-1130L
DCS-2102
DCS-2121L
DCS-2132L
DCS-5211L
DCS-5222L

 Active
Affected SKUs
 Status Notes
 DIR-626L        

Feb 11, 2013
New firmware v1.02 available

D-Link will release an updated firmware that will close this potential vulnerability.

We will provide the release schedule as it becomes available.

For users concerned about this vulnerability there is an immediate option to disable the UPnP feature in the device by following the steps noted below.

 DIR-636L Feb 11, 2013
New firmware v1.03 available
 DIR-655 Rev B1 Aug 14, 2013
New firmware v2.11 available
 DIR-826L Feb 11, 2013
New firmware v1.03 available
 DIR-827  
 DIR-835 Feb 11, 2013
New firmware v1.04 available
 DIR-836L Feb 11, 2013
New firmware v1.03 available
 DIR-857 Feb 11, 2013
New firmware 1.04 available
 DIR-865L Aug 7, 2013
New firmware 1.05b07 available
 DCS-2103  
 DCS-2130  
 DCS-2210  
 DCS-2230  
 DCS-3710B1  
 DCS-6510  
 DCS-6511  
 

End of Life*
Affected SKUs
Status
 DIR-100   

We recommend users turn off UPnP on the product.

*Products generally do not receive software updates after they are announced as End of Life and no longer under support and warranty periods.

 DIR-120
 DIR-524UP
 DIR-524UPM
 DIR-604+
 DIR-604UP
 DIR-604UPM
 DIR-624S
 WBR-1320                         
 

 

Customers that want to disable UPnP in the affected products can do so by following these steps:

Current Solution for Affected Products by Disabling UPnP

     Step 1: Open a web browser and log in to the device web configuration page - For routers the default URL is:

                http://dlinkrouter.local    or   http://192.168.0.1

     Step 2: Click on the Advanced tab at the top and then click on Advanced Network on the left-hand side.

     Step 3: Under the UPnP Settings section, uncheck the disabled UPnP buttons to disable UPnP on the device

     Step 4: Click Save Settings at the top to apply the settings.
 

*** Please note that disabling UPnP might adversely affect features and capabilities of the device and/or supporting applications or devices connecting to these products.