Overview
The DWL-3200AP Revision Ax or Bx Web-GUI configuration utility implements a cockie to maintain session and authentication during the time a web-browser is logged-in to the device. A malicious user could monitor the communication between device/browswer and capture the cookie. The cookie could then be read and it's information could be used to access the device without further athentication. This vulnerability cannot be exploited under normal operation of the DWL-3200AP. An exploit does require a malicious user to capture traffic from a user logged into to the devices Web-GUI configuration pages. Information in the captured traffic from communication to the Web-GUI can then be used to exploit the device's configuration without requiring log in. Recommendations section below will guide you in closing this security issue in the product.
References
Report Discovered by D-Link Systems (D-Link US) @ http://www.securityfocus.com/bid/68964/info
Description
In order to maintain author's intent of the disclosure please read at: http://www.securityfocus.com/bid/68964/info
If the traffic of a management session between an authenticated web-browser and device is monitored, a cookie with session information can be captured.
Information within the cookie can allow malicious users to then take over the session and change device configuration without authentication.
A script is offered by the author as proof of concept and report has been confirmed by D-Link Corporation.
Recommendation
Please update to the fixed firmware referenced in the table below that will be published by the end of August 2014.
We recommend your infrastructure that includes the DWL-3200AP is behind a firewall or better security policy to mitigate a malicious remote user.
All devices on your network should have log-in credentials and WiFi encryptiion-keys enabled if applicable.
WiFi encryption reduces the risk to this vulnerabilty if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption, or PC using the Web-GUI utility, in order to monitor the traffice and intercept the cookie.
The default configuration of the DWL-3200AP is to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems (D-Link US) reminds customers to configure their devices specifically to the for security concerns with in each network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enable WiFi encrytion, and evaluate all security risks for your network regularly.
Affected Product
Model Name
|
HW Version
|
Current FW Version
|
New Firmware for Correction
|
DWL-3200AP
|
Ax
|
v. 2.40 /
|
FW: Beta 2.56b15
|
DWL-3200AP
|
Bx |
v. 2.55RC515 |
FW: Beta 2.56b15
|
Security Fixes Provided by New Firmware
Model Name
|
HW Version
|
New Firmware |
New Firmware Corrections
|
DWL-3200AP
|
Ax
|
|
FW: Under Investigation
|
DWL-3200AP
|
Bx |
|
1. Unauthenticated request to change Wireless settings
2. Credentials in plaintext
3. Weak cookie value (RpWebID)
4. Proof of Concept in security report mitigated
|
Security patch for your D-Link Devices
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.