DIR-860L: Router Gigabit Cloud Dual Band AC 1200 SmartBeam

[Pondera]

Pubblicato firmware DIR-860L A1 1.11_BETA build 01-01 20180125.

Codice Seleziona Espandi

DIR-860L Firmware Patch Notes

Firmware: v1.11B01 BETA
Hardware: Ax
Date: February 28, 2018

Notes:

Reported: 01/14/2018
Discovered by: Kaixiang Zhang of Qihoo 360 Gear Team

Problems Resolved:

CVE-2018-6527
XSS vulnerability in htdocs/webinc/js/adv_parent_ctrl_map.php allowing remote
attackers to read a cookie via a crafted deviceid parameter to soap.cgi in the following:

DIR-868L - A1 FW112b04 and previous versions
DIR-865L - REVA_FIRMWARE_PATCH_1.08.B01 and previous versions
DIR-860L - A1 FW110b04 and previous versions

CVE-2018-6528
XSS vulnerability in htdocs/webinc/body/bsc_sms_send.php allowing remote attackers to
read a cookie via a crafted receiver parameter to soap.cgi in the following:

DIR-868L - A1 FW112b04 and previous versions
DIR-865L - REVA_FIRMWARE_PATCH_1.08.B01 and previous versions
DIR-860L - A1 FW110b04 and previous versions

CVE-2018-6529
XSS vulnerability in htdocs/webinc/js/bsc_sms_inbox.php allowing remote attackers to
read a cookie via a crafted Treturn parameter to soap.cgi in the following:

DIR-868L - FW112b04 and previous versions
DIR-865L - REVA_FIRMWARE_PATCH_1.08.B01and previous versions
DIR-860L - FW110b04 and previous versions

CVE-2018-6530
OS command injection vulnerability in soap.cgi (soapcgi_main incgibin) allowing remote
attackers to execute arbitrary OS commands via the service parameter in the following:

DIR-880L - REVA_FIRMWARE_PATCH_1.08B04 and previous versions
DIR-868L - A1 FW112b04 and previous versions
DIR-865L - REVA_FIRMWARE_PATCH_1.08.B01 and previous versions
DIR-860L - A1 FW110b04 and previous versions

Enhancements:
None

Known Issues:
None

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10080

Codice Seleziona Espandi

DISCLAIMER: Please note that this is a device beta software, beta firmware, or hot-fix release which is
still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is
provided on an "as is" and "as available" basis and the user assumes all risk and liability for use thereof.
D-Link does not provide any warranties, whether express or implied, as to the suitability or usability of the
beta firmware. D-Link will not be liable for any loss, whether such loss is direct, indirect, special or
consequential, suffered by any party as a result of their use of the beta firmware.


[Pondera]

Pubblicato firmware DIR-860L B1 2.04_BETA build 04-01_ic5b 20181205.

Codice Seleziona Espandi

DIR-860L Firmware Patch Notes

Firmware: 2.04B04_ic5b_BETA
Hardware: Bx
Date: January 4, 2019

Overview:
In November 2018, D-Link became aware of a 3rd Party security researcher that
accused the DIR-860L Hardware Rev. Bx and DIR-818LW Series Hardware Revision
Ax consumer routers of a remote command injection vulnerability.

After an investigation, this vulnerability is only accessible via the local-network (LAN-
side) of the router and not directly from the Internet (WAN-side) since it requires access
to the web browser configuration of the router.

3rd Party Report:
MinGeun Kim (pr0v3rbs _at_ kaist.ac.kr)
https://github.com/pr0v3rbs/CVE/tree/master/CVE-2018-20114

Problems Resolved:
CVE-2018-20114 - Unauthenticated OS Command Injection


Codice Seleziona Espandi

DISCLAIMER: Please note that this is a device beta software, beta firmware, or hot-fix release which is
still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is
provided on an "as is" and "as available" basis and the user assumes all risk and liability for use thereof.
D-Link does not provide any warranties, whether express or implied, as to the suitability or usability of the
beta firmware. D-Link will not be liable for any loss, whether such loss is direct, indirect, special or
consequential, suffered by any party as a result of their use of the beta firmware.


[Pondera]

Revisionati 1° & 2° messaggio di questa discussione ed aggiornati tutti i collegamenti.