Support Announcements
DIR-816 :: Rev. A2 - (Non-US Product) Firmware: 1.10B05 :: CVE-2018-20305 - Unauthenticated RCE

Overview

 

On December 19, 2018, D-Link was made aware of the public disclosure of CVE-2018-20305 which describes a stack-overflow security vulnerability in the DIR-816 hardware revision A2, using firmware version v1.10B05.


3rd Pary Security Vulnerability Report

 

CVE-2018-20305 :: https://nvd.nist.gov/vuln/detail/CVE-2018-20305

Github Disclosure :: https://github.com/RootSoull/Vuln-Poc/tree/master/D-Link/DIR-816

 

Report Description

 

Stack-based buffer overflows found on d-link dir-816 A2 1.10 B05 devices allow arbitrary remote code execution without authentication.Embodied in the /goform/form2userconfig.cgi handler function, long password may lead to stack-based buffer overflow and cover the return address.

 

Affected Products and Fixes:

 

Model Revision Affected FW Fixed FW  Last Updated
DIR-816 A2 v1.10B05 (2018/01/04)

v1.11CNB02

12/28/2018

 

 

Regarding Security patch for your D-Link Devices
 
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.