DIR‑859 + 13 other Router Models :: CVE‑2019‑17621 & CVE‑2019‑20213 LAN‑side security vulnerability

08 January, 2020

Overview

On November 5, 2019, third party security experts expanded the scope of their report of the DIR-859 (CVE-2019-17621 and CVE-2019-20213) to include: DIR-818Lx Bx firmware v2.05b03_Beta08, DIR-822 Cx firmware v3.12b04, DIR-822 Bx firmware v2.03b01, DIR-823 Ax firmware v1.00b06_Beta, DIR-859 Ax firmware v1.06b01_Beta01, DIR-865L Ax firmware v1.07.b01, DIR-868L Ax firmware v1.12b04, DIR-868L Bx firmware v2.05b02, DIR-869 Ax firmware v1.03b02_Beta02, DIR-880L Ax firmware v1.08b04, DIR-890L Ax firmware v1.11b01_Beta01, DIR-885L Ax firmware v1.12b05, DIR-895L Ax firmware v1.12b10. The security vulnerability potentially allowed a malicious user unauthenticated remote command execution on the LAN-side (from within the home network).

In order for this security exploit to be achieved, a malicious user would have to have internal access to the LAN-side of the router within the home, narrowing the risk of an attack considerably. Regardless we appreciate the 3rd parties report, confirmed and released patches to close this issue.

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures.

 

Disclosure

          -  CVE-2019-17621 ::

             - (English) https://medium.com/@s1kr10s/d-link-dir-859-unauthenticated-information-disclosure-en-faf1a9a13f3f

             - (English) https://medium.com/@s1kr10s/d-link-dir-859-rce-unautenticated-cve-2019-17621-en-d94b47a15104

             - (Spanish) https://medium.com/@s1kr10s/d-link-dir-859-rce-unautenticated-cve-2019-17621-es-fad716629ff9

 

            -  CVE-2019-20213 :: 

             - (English) https://medium.com/@s1kr10s/d-link-dir-859-unauthenticated-information-disclosure-en-faf1a9a13f3f

             - (Spanish) https://medium.com/@s1kr10s/d-link-dir-859-unauthenticated-information-disclosure-es-6540f7f55b03

             

 

Affected Products

 

For active products to close this you can download the patch and upgrade the device through the device web-configuration GUI.

 

Model HW Rev. Region Affected FW Fixed FW Current FW Recommendation Info Last Update
DIR-818LW All Bx Revisions EU v2.05b03_Beta08 & older
Under Development v2.05b03_Beta08 Scheduled for 01/20/2020 12/26/2019
DIR-822 All Bx Revisions Non-EU v2.03b01 & older
Under Development v2.03b1 Check local website 12/26/2019
DIR-822 All Cx Revisions Non-EU v3.12b04 & older
v3.15WWb03 v3.15WWb03 Check local website 12/26/2019
DIR-823 All Ax Revisions Non-EU v1.00b06_Beta & older
Under Development v1.00b06_Beta Check local website 12/26/2019
DIR-859 All Ax Revisions
EU v1.06b01Beta01 & older
v1.07b03_beta* v1.07b03_beta*

Please download & upgrade

12/26/2019
DIR-865L All Ax Revisions
EU v1.07b01 & older EOL EOL Please See Below 12/26/2019
DIR-868L All Ax Revisions
EU v1.12b04 & older v1.20b07_jblf_beta* 1.20b07_jblf_beta* Please download & upgrade 12/26/2019
DIR-868L All Bx Revisions
EU v2.05b02 & older Under Development v2.05b02 Scheduled for 01/20/2019 12/26/2019
DIR-869 All Ax Revisions EU v1.03b02Beta02 & older v1.04b03_beta01* v1.04b03_beta01* Please download & upgrade 12/26/2019
DIR-880L All Ax Revisions EU v1.08b04& older v1.20b02Beta01 v1.20b02Beta01 Please download & upgrade 12/26/2019
DIR-890L All Ax Revisions EU v1.11b01_Beta01 & older v1.21b02Beta v1.21b02Beta Please download & upgrade 12/26/2019
DIR-885L All Ax Revisions EU v1.12b05 & older v1.21b03* v1.21b03* Please download & upgrade 12/26/2019
DIR-895L All Ax Revisions EU v1.12b10 & older v1.21b05* v1.21b05* Please download & upgrade 12/26/2019

 

*Note: Some routers must be updated twice to close this security issue. If you download the fixed firmware, and there are two firmware .BIN files in the ZIP-file, then the two-step update is required. First update the device from the Device Web-GUI using {Model-Device-Firmware}_middle.bin. Second update the device from the Device Web-GUI using {Model-Device-Final-Firmware}.bin.

 

 

Note on End of Life / End of Service Products

 

Certain reported models have reached End of Life/End of Service. Once a product has reached its EOL/EOS date, D-Link is unable to provide support or development for them and therefore unable to resolve newly discovered vulnerability concerns.

From time to time, D-Link will decide that certain of its products have reached EOL. D-Link may choose to EOL a product for many reasons, including shifts in market demands, technology innovation, costs or efficiencies based on new technologies, or the product matures over time and is replaced by functionally superior technology. Once a product is EOL, D-Link will provide the dates for which the support and service for that product will no longer be available.

While this is an established part of a product’s overall life cycle, D-Link understands that EOL of a product may affect an end-user’s decision to continue to use the product.

D-Link’s End-of-Life Policy can be found here: https://eu.dlink.com/eol