Support Announcements
DIR-890L/R, DIR-885L/R, and DIR-895L/R :: CVE-2018-12103 :: Predictability of Captcha Feature for Web-Configuration Login

On June 10, 2018, a 3rd party has reported a vulnerability in the web configuration login for the DIR-890L/R, DIR-885L/R, and DIR-895L/R. Enabling the CAPTCHA feature on the login of the device helps to add security to the credential by requiring user not only to supply the admin credentials, but reolving a displayed CAPTCHA graphic. 

 

This vulnerability requires the malicious user to be connected to the LAN-side local network (in home). The malicious user can construct messages to the device that will result in disclosur of  the CAPTCHAs used by the access point and can elect to load the CAPTCHA of their choosing.

 

The device still will require the admin credentials, which lowers the severity of the report, however if the vulnerability is used, the imporvement in security the CAPTCHA feature helps add to the login can be bypassed.

 

3rd Party Report Information:

 

Kevin R <krandall2013 () gmail com> Reported June 10, 2018, Publically Disclosed June 23, 2018

 

 

Detials

 

Please read the original disclosure by 3rd  party and we encourage you to contact them if you have any questions

 

An issue was discovered on D-Link DIR-890L  devices. Due to the predictability of the /docs/captcha_(number).jpeg URI, being local to the network, but unauthenticated to the administrator's panel, an attacker can disclose the CAPTCHAs used by the access point and can elect to load the CAPTCHA of their choosing, leading to unauthorized login attempts to the access point.
 D-Link has sxpanded the scope to include DIR-885L/R and DIR-895L/R.


 

Affected Products and Fixes:

Model Hardware Revision Affected FW Fixed FW  Last Updated
DIR-890L/R All Revisions v1.21B02beta01 and older (lower) Investigating Solution 11/16/2018
DIR-885L/R All Revisions v.1.21B03Beta01 and older (lower)
Investigating Solution
11/16/2018
DIR-895L/R All Revisions v1.21B04beta01 and older (lower)
Investigating Solution
11/16/2018

 

Regarding Security patch for your D-Link Devices
  Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly
recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct
corresponding firmware update. The hardware revision information can usually be found on the product label on the
underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.