Headline
CVE-2020-13787: D-Link Technical Support
D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Transmission of Sensitive Information.
DIR-865L :: Rev. Ax :: End of Support / End of Life Product :: Reporting Multiple Vulnerabilities
Overview
On February 28, 2020, a report from a security researcher at Palo Alto Networks identified the DIR-865L hardware Ax with 1.20B01 Beta released on August 9, 2018, as potentially having multiple security vulnerabilities.
DIR-865L reached its End of Support (“EOS”) / End of Life (“EOL”) Date on 02/01/2016. As a general policy, when the product reaches EOS/EOL, it can no longer be supported, and all firmware development for the product ceases, except in certain unique situations. In this particular case for DIR-865, D-Link was able to provide a Beta Patch Release after the EOS/EOL Date. Please see information and recommendations below.
As a part of our standard process, we accept reports from 3rd parties and then confirm the report across the family of products that could be affected by software or hardware design similarities that are or were shipped under the D-Link brand globally.
Third-Party Report
Gregory Basior:: Palo Alto Networks:: Gasior \_at\_ Palo alto networks \_dot\_ com
Davila Loranca:: Palo Alto Networks:: adavilaloran \_at\_ Palo alto networks \_dot\_ com
Jun Du:: Palo Alto Networks:: judu \_at\_ Palo alto networks \_dot\_ com
CVE-ID::
CVE-2020-13785 D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.
CVE-2020-13782 D-Link DIR-865L Ax 1.20B01 Beta devices allow Command Injection.
CVE-2020-13784 D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number
CVE-2020-13783 D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.
CVE-2020-13786 D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.
CVE-2020-13787 D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Transmission of Sensitive Informatio…
CWE-IDs::
1. CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection)
2. CWE-352: Cross-Site Request Forgery (CSRF)
3. CWE-326: Inadequate Encryption Strength
4. CWE-337: Predictable seed in Pseudo-Random Number Generator
5. CWE-312: Cleartext Storage of Sensitive Information
6. CWE-319: Cleartext Transmission of Sensitive Information
Exceptional Beta Patch Release
Released: v1.20B01Beta01 05-26-2020 :: LINK
D-Link continues to recommend that for the End Of Support (“EOS”) / End of Life (“EOL”) products , a product owner should retire the EOS/EOL product and replace the EOS/EOL product for an actively supported product.
Owners of the DIR-865L who use this product beyond EOS/EOL, at their own risk, should manually update to the latest firmware. This beta release is a result of investigation based on the understanding of the report and is released after a complete investigation of the entire family of products that may be affected. Releasing firmware after EOS/EOL is not a standard operating procedure.
**CWE-ID Fixes Offered In Exceptional Beta Release
**
2. CWE-352: Cross-Site Request Forgery (CSRF)
3. CWE-326: Inadequate Encryption Strength
5. CWE-312: Cleartext Storage of Sensitive Information
Recommendation for End of Support Life Products
From time to time, D-Link will decide that some of its products have reached End of Support (“EOS”) / End of Life (“EOL”). D-Link may choose to EOS/EOL a product due to evolution of technology, market demands, new innovations, product efficiencies based on new technologies, or the product matures over time and should be replaced by functionally superior technology.
For US Consumer
If a product has reached End of Support (“EOS”) / End of Life (“EOL”), there is normally no further extended support or development for it. Once a product reaches its EOL/EOS date, it is transferred to https://legacy.us.dlink.com/
Typically for these products, D-Link will be unable to resolve device or firmware issues since all development and customer support has ceased.
This DIR-856L is an exceptional circumstance in which D-Link is able to provide a Beta Patch Release. However, D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it. If US consumers continue to use the DIR-856L against D-Link’s recommendation, please make sure the device has the most recent firmware from https://legacy.us.dlink.com/ installed, make sure you frequently update the device’s unique password to access its web-configuration, and always have WIFI encryption enabled with a unique password.