Overview
The DSR-500 Rev. A1 / DSR-500N Rev. A1 / DSR-1000 Rev. A1 / DSR-1000N Rev. A1 contain a vulnerability due to the use of the OpenSSL software stack.
An attacker using a carefully crafted handshake can force the use of weak encryption on OpenSSL SSL/TLS clients and these D-Link Service Routers.
This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic between the client and device.
The attack can only be performed between a OpenSSL clients *and* devices that utilize OpenSSL like the affected D-Link Service Routers.
References
OpenSSL - Link
Lepidum - Link
Description
OpenSSL’s ChangeCipherSpec processing has a vulnerability that can be exploited by a man-in-the-middle attack. This vulnerability allows malicious host to intercept encrypted data and dcrypt them between a device and client using OpenSSL, This malicious host can then force SSL clients to use weak keys exposing the communicataion between the now, exploited hosts. Both OpenSSL servers and OpenSSL clients are affected by this vulnerabitlity, and should be updated immediately. This vulnerabitlity has enough reproducibility and it is very likely for attackers to utilize this vulnerabitlity for target attacks.
Recommendations
All devices on your network should have log-in credentials and if your network has WiFi, please make sure WiFi encryptiion-keys are enabled. Also for devices that cannot notify the owner of a new software updates, check for updates from the devices manufacture.
Immediately update to the fixed firmware referenced in the table below as they are made available. Please continue to monior this page for further updates and disclousres.
D-Link recommend your D-Link Service Router remote network management feature disabled (factory default is disabled) to mitigate a malicious remote user using this vulnerability to exploit your router. If remote network mangement is disabled, a malicious user would require to be on the local network side of the router or have compromised another device on the network that could be used to attack the router.
D-Link recommends all PCs (Window or Mac) are up-to-date and scanned for virus, bots, or other damaging software that could compromise the network they are connected.
WiFi encryption reduces the risk to this vulnerabilty if the device Web-GUI is accessed over WiFi. If WiFi network was encrypted, the malicious user would also need to compromise the WiFi encryption, or PC using the Web-GUI utility, in order to monitor the traffice and intercept the cookie.
The default configuration of D-Link's devices are to provide simple installation, ease of useability, and offer widest interoperability. D-Link Systems (D-Link US) reminds customers to configure their devices specifically to the for security concerns with-in their network infrastructure. In General, D-Link Systems (D-Link US) recommends disabling services not being used, changing/securing device log-in credentials, enable WiFi encrytion, monitor the routers log files, and access-lists for your devices so security risks to your entire network are minimized.
Affected Product
|
Model Name
|
HW Version
|
Vulnerability Discovered |
Vulnerable FW Versions
|
Current FW Versions (include fixes)
|
| DSR-500 |
Ax |
|
|
v 1.09.b61 (10/8/2014)
Release Notes: Link
|
|
DSR-500N
|
Ax
|
|
|
v 1.09.b61 (10/8/2014)
Release Notes: Link
|
| DSR-1000 |
Ax |
|
|
v 1.09.b61 (10/8/2014)
Release Notes: Link
|
| DSR-1000N |
Ax |
|
|
v 1.09.b61 (10/8/2014)
Release Notes: Link
|
Security patch for your D-Link Devices
These firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.