Support Announcements
Central WiFi Manager (CWM-100) :: CVE-2018-15515 - Privilege Escalation on File System

On November 8, 2018, it was disclosed that D-Link's Central WiFi Manager software (described here), was disclosed to have a Privledged Escalation vulnerabiliy.

 

D-Link® Central WiF iManager software controller helps network administrators streamline their wireless access point (AP) management workflow. Central WiFi Manager is an innovative approach to the more traditional hardware-based multiple access point management system. It uses a centralized server to both remotely manage and monitor wireless APs on a network. Whether deployed on a local computer or hosted on a public cloud service, Central WiFi Manager can be easily integrated into existing networks in conjunction with supporting D-Link wireless APs, to help eliminate existing bottlenecks for wireless traffic.

 

3rd Party Report Accreditation:

 

Author: John Page (aka hyp3rlinx) :: hyp3rlinx <apparitionsec () gmail com>

 

 

Affected Products:

 

This disclosure directly affects the software package and current installations should be update with the new released available to download below. Failure to update may put this software package, the host computer it runs on, and D-Link devices that it manages at risk.

 

Solution/Patch/Fix:

  1. Arbitrary SQL query(conn.php).
  2. Remote command execution(index.action.class.php)
  3. SQL injection(payaction.class.php)
  4. Cross site scripting(payaction.class.php)
 Affected Product Affected Version Corrected Version Last Updated
CWM-100 :: D-Link Central WiFi Manager  Ver. 1.03 for Windows v.1.03r001_Beta06 12/03/2018

 

Security Patches

 

These updates address the security vulnerabilities in affected D-Link software package. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

To update we reccomend saving your configuration, uninstall the old package, then install the new update.  Further assistance  can be found via chat or email at http://support.dlink.com