Overview
On November 1, 2018 a security researcher from CyCarrier CSIRT contacted D-Link regarding two security issues that affect the DIR-850L Hardware Rev. Ax/Bx, DIR-880L Hardware Rev.Ax, DIR-822/DIR-822-US Hardware Rev. Cx. To identify the hardware revision, please inspect the devices label on bottom of device.
We coordinated with the security researcher from CyCarrier CSIRT, patched and release new firmware for each of the affected models below.
3rd Party researcher
Henry Huang from CyCarrier CSIRT
Description of Security Issue:
- Authentication bypass
- Authenticated RCE
This attack does require an authenticated user to the web-GUI configuration of the device. The web-GUI configuration interface is only available on the LAN-side of the device.
WAN-side access to the web-GUI configuration is default disabled, and D-Link does not ever recommend enabling this feature.
Affected Product Models and Patches:
Model | Hardware Revision | Affected FW | Fixed FW | Last Updated |
DIR-822 | Revision C1 | v3.10B06 and older (lower) | v3.11B01Beta | 12/21/2018 |
DIR-822-US | Revision C1 | v3.10B06 and older (lower) | v3.11B01Beta | 12/21/2018 |
DIR-850L | All Revision A | v1.21B07 and older (lower) | v1.21B08Beta | 12/21/2018 |
DIR-850L | All Revision B | v2.22B02Beta and older (lower) | v2.22B03Beta | 12/21/2018 |
DIR-880L | All Revision A | v1.20B01Beta and older (lower) | v1.20B02Beta | 12/21/2018 |
Regarding Security patch for your D-Link Devices
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.