Support Announcements
DIR-860L Rev. Bx and DIR-818LW Rev. Bx :: CVE-2018-20114 :: LAN-side Unauthenticated Command Execution Vulnerability

Overview

 

In November 2018, D-Link becamea aware of a 3rd Party security researcher that accused the DIR-860L Hardware Rev. Bx and DIR-818LW Series Hardware Revision Bx consumer routers of a remote command injection vulnerability.

 

After an investigation, this vulnerability is only accessable via the local-network (LAN-side) of the router and not directly from the internet (WAN-side) since it requies access to the web browswer configuration of the router.

 

3rd Party Report:

 

MinGeun Kim :: pr0v3rbs _at_ kaist.ac.kr

 

 

Since this time, D-Link has dilegently investigate and patched several issues that were publically disclosed in the following CVE's.

 

Details

 

D-Link DIR-818LW Rev. B 2.05.B03 and DIR-860L Rev.B 2.03.B03 devices, unauthenticated remote OS command execution can occur in the soap.cgi service of the cgibin binary via an "&&" substring in the service parameter. NOTE: this issue exists because of an incomplete fix for CVE-2018-6530.

 

Affected Products and Fixes:

 

Model Revision Affected FW Fixed FW  Last Updated
DIR-818LW (white) All B revisions v2.05.B03 and Lower (older) v.2.06B01Beta

01/04/2019

DIR-818LW/D (black) All B revisions v2.05.B03 and Lower (older) v.2.06B01Beta 01/04/2019
DIR-818LW/R (red) All B revisions v2.05.B03 and Lower (older) v.2.06B01Beta 01/04/2019
DIR-818LW/T (teal) All B revisions v2.05.B03 and Lower (older) v.2.06B01Beta 01/04/2019
DIR-860L All B revisions v2.03.B03 and Lower (older)
v.2.04B04Beta01 01/04/2019

 

 

Regarding Security patch for your D-Link Devices
 
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.