• Home Support Forums Security Advisories Shop     English | French
Support Announcement
DAP-1860 :: HW Rev. Ax :: FW v1.04b01 and below (older) :: Unauthenticated Command Bypass & Command Injection

Overview

 

On September 30, 2019, D-Link becamea aware of a 3rd Party security researcher that accused the DAP-1860 Hardware Rev. Ax of a command injection security flaw that may lead To unauthenticated remote code execution (RCE) security vulnerability.  The devices is deployed LAN-side or in-home and does not require internet services, this does reduce some risk since a malicious user or attack whould have to be with-in physical proximity and be able to connect to the DAP-1860 WiFi signal that has WIFi encryption on as default.

 

As D-Link investigated, and validated the report, and in coordination with the 3rd Party we have release the following Beta Hot-Fix. We recommend always to keep up-to-date firmware which can be found  at https://support.dlink.com/ProductInfo.aspx?m=DAP-1860

 
The Beta Hot-Fix has been throught the required cyber-security testing and software quality assurance for the specific issue.  This releases has not been through a complete cycle, nor will it be released as a fully qualified software release. 

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. Please check the D-Link website for updates regularly.

  

3rd Party Report:

 

 Nguyen Van Chung :: chung96vn _at_  gmail _dot_ com

 
     - Public Disclosure: https://chung96vn.wordpress.com/2019/11/15/d-link-dap-1860-vulnerabilities/

     - CVE-2019-19597 : https://nvd.nist.gov/vuln/detail/CVE-2019-19597

       - CVE-2019-19598 : https://nvd.nist.gov/vuln/detail/CVE-2019-19598

 

Affected Products and Fixes:

 

Model Revision Affected FW Fixed FW  Last Updated
DAP-1860 All Ax revisions v1.04b01 and below (older) v1.04b03 Beta Hot Fix

11/13/2019

 

 

Regarding Security patch for your D-Link Devices
 
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

Tto help better protect devices from security attacks, malware, and ransomware:

1. Keep device firmware up-to-date.

2. Any computer accessing information on this devices should have appropriate anti-virus protection and malware protection enabled

3. Regular back-ups of stored information on user devices should occur in case a disaster recovery is needed.

 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.