DIR-859 + 13 other Router Models :: CVE-2019-17621 & CVE-2019-20213 LAN-side security vulnerability
08 siječnja, 2020
Overview
On November 5, 2019, third party security experts expanded the scope of their report of the DIR-859 (CVE-2019-17621 and CVE-2019-20213) to include: DIR-818Lx Bx firmware v2.05b03_Beta08, DIR-822 Cx firmware v3.12b04, DIR-822 Bx firmware v2.03b01, DIR-823 Ax firmware v1.00b06_Beta, DIR-859 Ax firmware v1.06b01_Beta01, DIR-865L Ax firmware v1.07.b01, DIR-868L Ax firmware v1.12b04, DIR-868L Bx firmware v2.05b02, DIR-869 Ax firmware v1.03b02_Beta02, DIR-880L Ax firmware v1.08b04, DIR-890L Ax firmware v1.11b01_Beta01, DIR-885L Ax firmware v1.12b05, DIR-895L Ax firmware v1.12b10. The security vulnerability potentially allowed a malicious user unauthenticated remote command execution on the LAN-side (from within the home network).
In order for this security exploit to be achieved, a malicious user would have to have internal access to the LAN-side of the router within the home, narrowing the risk of an attack considerably. Regardless we appreciate the 3rd parties report, confirmed and released patches to close this issue.
D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.
Disclosure
- CVE-2019-17621 ::
- (English) https://medium.com/@s1kr10s/d-link-dir-859-unauthenticated-information-disclosure-en-faf1a9a13f3f
- (English) https://medium.com/@s1kr10s/d-link-dir-859-rce-unautenticated-cve-2019-17621-en-d94b47a15104
- (Spanish) https://medium.com/@s1kr10s/d-link-dir-859-rce-unautenticated-cve-2019-17621-es-fad716629ff9
- CVE-2019-20213 ::
- (English) https://medium.com/@s1kr10s/d-link-dir-859-unauthenticated-information-disclosure-en-faf1a9a13f3f
- (Spanish) https://medium.com/@s1kr10s/d-link-dir-859-unauthenticated-information-disclosure-es-6540f7f55b03
Affected Products
For active products to close this you can download the patch and upgrade the device through the device web-configuration GUI.
| Model | HW Rev. | Region | Affected FW | Fixed FW | Current FW | Recommendation | Info Last Update |
|---|---|---|---|---|---|---|---|
| DIR-818LW | All Bx Revisions | EU | v2.05b03_Beta08 & older |
Under Development | v2.05b03_Beta08 | Scheduled for 01/20/2020 | 12/26/2019 |
| DIR-822 | All Bx Revisions | Non-EU | v2.03b01 & older |
Under Development | v2.03b1 | Check local website | 12/26/2019 |
| DIR-822 | All Cx Revisions | Non-EU | v3.12b04 & older |
v3.15WWb03 | v3.15WWb03 | Check local website | 12/26/2019 |
| DIR-823 | All Ax Revisions | Non-EU | v1.00b06_Beta & older |
Under Development | v1.00b06_Beta | Check local website | 12/26/2019 |
| DIR-859 | All Ax Revisions |
EU | v1.06b01Beta01 & older |
v1.07b03_beta* | v1.07b03_beta* |
Please download & upgrade |
12/26/2019 |
| DIR-865L | All Ax Revisions |
EU | v1.07b01 & older | EOL | EOL | Please See Below | 12/26/2019 |
| DIR-868L | All Ax Revisions |
EU | v1.12b04 & older | v1.20b07_jblf_beta* | 1.20b07_jblf_beta* | Please download & upgrade | 12/26/2019 |
| DIR-868L | All Bx Revisions |
EU | v2.05b02 & older | Under Development | v2.05b02 | Scheduled for 01/20/2019 | 12/26/2019 |
| DIR-869 | All Ax Revisions | EU | v1.03b02Beta02 & older | v1.04b03_beta01* | v1.04b03_beta01* | Please download & upgrade | 12/26/2019 |
| DIR-880L | All Ax Revisions | EU | v1.08b04& older | v1.20b02Beta01 | v1.20b02Beta01 | Please download & upgrade | 12/26/2019 |
| DIR-890L | All Ax Revisions | EU | v1.11b01_Beta01 & older | v1.21b02Beta | v1.21b02Beta | Please download & upgrade | 12/26/2019 |
| DIR-885L | All Ax Revisions | EU | v1.12b05 & older | v1.21b03* | v1.21b03* | Please download & upgrade | 12/26/2019 |
| DIR-895L | All Ax Revisions | EU | v1.12b10 & older | v1.21b05* | v1.21b05* | Please download & upgrade | 12/26/2019 |
*Note: Some routers must be updated twice to close this security issue. If you download the fixed firmware, and there are two firmware .BIN files in the ZIP-file, then the two-step update is required. First update the device from the Device Web-GUI using {Model-Device-Firmware}_middle.bin. Second update the device from the Device Web-GUI using {Model-Device-Final-Firmware}.bin.
Note on End of Life / End of Service Products
Certain reported models have reached End of Life/End of Service. Once a product has reached its EOL/EOS date, D-Link is unable to provide support or development for them and therefore unable to resolve newly discovered vulnerability concerns.
From time to time, D-Link will decide that certain of its products have reached EOL. D-Link may choose to EOL a product for many reasons, including shifts in market demands, technology innovation, costs or efficiencies based on new technologies, or the product matures over time and is replaced by functionally superior technology. Once a product is EOL, D-Link will provide the dates for which the support and service for that product will no longer be available.
While this is an established part of a product’s overall life cycle, D-Link understands that EOL of a product may affect an end-user’s decision to continue to use the product.
D-Link’s End-of-Life Policy can be found here: https://eu.dlink.com/eol