UPnP
Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment.
January 30, 2013 UPDATE:
At the current time D-Link deploys firmware that has UPnP feature support on our devices. The UPnP features are enabled by software developer kits - Intel, Portable, and MiniUPnP.
Recently, it has been discovered that the following UPnP versions may have a security vulnerability that could cause devices to become unstable, impair functionality, or disclose the services the devices offers (i.e. network camera feed):
- All Versions of Intel SDK
- Version of Portable SDK prior to V. 1.6.18
- Version of MiniUPnP SDK prior to V. 1.1
Security and performance is of the utmost importance to D-Link across all product lines, including networking, surveillance, storage and entertainment solutions.
D-Link is currently assessing the recent findings surrounding UPnP technology and whether any D-Link products are susceptible to vulnerabilities. If any action is needed, D-Link will provide information on this page.
We are currently updating our Vendor responses at US-CERT (US Computer Emergency Readiness Team) for the support CVEs (Common Vulnerabilities and Exposures).
We also discourage the use of industry-available tools available to the public because of the number of false-negatives and false-positives. This potential vulnerability is complex and requires deeper inspection and replacement of the recommend SDK stated in the CVEs.
Below is a list of D-Link products that are potentially vulnerable. If your product is not listed below, it is secure and not affected; no further action is required.
Active Affected SKUs | Status | Note |
DIR-626L |
May 20, 2013 |
D-Link will release an updated firmware that will close this potential vulnerability. We will provide the release schedule as it becomes available. For users concerned about this vulnerability there is an immediate option to disable the UPnP feature in the device by following the steps noted below. |
DIR-636L |
May 20, 2013 |
|
DIR-826L |
May 20, 2013 |
|
DCS-2130 |
May 30, 2013 |
|
DCS-2210 |
June 3, 2013 |
|
DCS-2230 |
June 3, 2013 |
|
DCS-3710 H/W ver. B1 |
May 30, 2013 |
|
DCS-6511 |
May 30, 2013 |
Current Solution for Affected Products by Disabling UPnP
-
Log into the device’s web configuration.
For routers, the default browser URL address is as below:
http://dlinkrouter.local or http://192.168.0.1For IP/network cameras, access the camera via its IP address. If you are unsure about this, please download, unzip and install the D-Link Network Camera Setup Wizard from ftp://ftp.dlink.eu/Products/dcs/@general/DCS_Setup-Wizard-SE.zip, which will automatically discover the camera on your network.
-
Click on the Advanced tab at the top and then click on Advanced Network on the left-hand side.
-
Under the UPnP Settings section, uncheck the disabled UPnP buttons to disable UPnP on the device
-
Click Save Settings at the top to apply the settings.
Please note that disabling UPnP might adversely affect features and capabilities of the device and/or supporting applications or devices connecting to these products.