Tangible Announcements

McLean, Virginia - February 25, 2015,

Tangible Security researchers Mike Baucom, Allen Harper, and J. Rach discovered serious vulnerabilities in two devices made by D-Link.

D-Link DCS-931L

  • A Day & Night Wi-Fi Camera
  • More info from vendor
  • CVE-2015-2049
  • Vulnerability Description: A hidden webpage on the device allows an attacker to upload arbitrary files from the attackers system. By allowing the attacker to specify the file location to write on the device, the attacker has the ability to upload new functionality. The D-Link DCS-931L: Firmware Version 1.04 (2014-04- 21) / 2.0.17-b62. Older versions and configurations were NOT tested. This also applies to DCS-930L, DCS-932L, DCS-933L models.
  • Impact Description: By allowing any file in the file system to be overwritten, the attacker is allowed to overwrite functionality of the device. The unintended functionality reveals details that could lead to further exploitation. There are security impacts to the confidentially, integrity, and availability of the device and its services.
D-Link DAP-1320

  • A Wi-Fi Range Extender
  • More info from vendor
  • CVE-2015-2050
  • Vulnerability Description: A Command Injection Vulnerability was discovered in the firmware update functionality. This requires interception and manipulation of network communications using commonly available tools. The D-Link DAP-1320: Firmware Version (1.11 released 22 Dec 2013). Older versions and configurations were NOT tested. CWE-78: OS Command Injection.
  • Impact Description: By allowing a command injection attack, an attacker could compromise the system and subvert it for the attacker's purpose, for example sniffing passwords from the wifi users. There are security impacts to the confidentially, integrity, and availability of the device and its services.
Tangible Security is unaware of any public exploits of these vulnerabilities. However, due to the categorization of these vulnerabilities, it may be reasonable to believe that cyber criminals are doing so.

We urge users of these devices, including older and newer models, to download and install the latest firmware updates available from D-Link that address these vulnerabilities. Failing to do so exposes those benefiting from the use of these devices to cyber crime risks.

Our researchers wish to express their appreciation for D-Link’s cooperation and desire to make their products and customers more secure.