Slashdot Mirror
D-Link Warns of Vulnerable Routers
wiedzmin sends in news of a vulnerability in some D-Link home routers. The company has made new firmware available for download. "D-Link announced today that the problem, discovered by security researchers SourceSec, affects three of its wireless routers: DIR-855 (hardware version A2), DIR-655 (versions A1 to A4), and DIR-635 (version B). The problem lies in D-Link's implementation of Cisco's Home Network Administration Protocol, which allows remote router configuration. The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected." SourceSec apparently made their research available, including an exploitation tool, without ever contacting D-Link.
to contact D-Link first? Maybe D-Link could have updated the firmware before this exploit became public knowledge. I doubt SourceSec cares about D-Links customers.
I don't blame them. Finding security contacts for consumer hardware companies is next to impossible.
Whether it is D-Link, Belkin, Netgear - I don't believe any of them have a public security page similar to any major software vendors.
Who could possibly have suspected that silently enabling a "remote management" interface with weak authentication could possibly make a device less secure?
To whose benefit is this HNAC stuff, anyway? It seems to be largely invisible to the user and not aimed at them. Are ISPs supposed to be "managing" our routers now?
Because slashdot is the target audience for UGG advertising...
>"The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected."
:)
It's one thing to be a commenter/whistle-blower - it is entirely another to be an apologist in the same breath.
Once you pull the trigger, you can't run, catch the bullet and put it back in the same chamber, eh? A simple "only customers who updated their firmware are potentially affected" would have been fine...if only you'd left it there
We'll let it go this time, but do it again and it's gonna be all 'look people! point and laugh! point and laugh!!!!
It looks like this might be a broader issue than just DLink routers. Several comments on TFA seem to suggest that the HNAP remote management interface is a part of the SDK for the board used in these routers. This implies that any router based on this board might have this vulnerability. The DD-WRT hardware incompatibility list happens to have a list of routers that use UBICOM boards.
Some other UBICOM based devices listed in TFA's comments include:
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
SourceSAC didn't come out of LOL town.
lol my thoughts exactly. Slashdot is the anti-ugg crowd. If you wanna spam, at least spam geeky shit. I might click on that.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
And as far as MS goes they NEED all the help they can get.
If anyone has a DGL-4500 router, and experiences constant lockups with it (forced to power cycle the unit); your not alone. Apparently, there is a bug with DNS forwarding that started with firmware rev 1.21. It's been since July 2009, and the best you can hope for is an update still in beta. We are talking about their newest high-end gaming router here with extra features that make a nice small office router too.
As it stands, users of this model are furious. Some are threatening a class-action lawsuit against them. By all means, please read through the D-Link forum before you think about buying one of their products.
http://forums.dlink.com/index.php?board=144.0
Life is not for the lazy.
This attack only works when a system on the LAN initiates it.
It is possible to get a system on the lan to initiate it with a DNS rebinding attack and javascript on a malicious web page, but that is far from a trivial attack.
I'm guessing that this is successfully used only in highly targeted attacks.
I don't see any update for the DIR-655, last firmware is from 07/2009, v1.32NA.
I hope they release soon, I know a few not so savvy users who have this model.
If you are that high tech, you probably would have a custom Router anyway? Hmmmmm.
I really don't :(
Hopefully this whole thing gets corrected without too much harm :)
This is nothing new. In fact, review the many easy hacks against several router manufacturers and you'll discover a lot of them (many exploiting uPnP) have FAILED to patch these issues for many YEARS. A good many of these routers are wired routers with the public being told to buy a wireless router instead (many of which remain unpatched to several malicious exploits!) when all they really want is wired. Many wise individuals do not want to go wi-fi nor should they be forced to do so.
Search for some of the exploits yourself, many of them uPnP, visit the router manufacturer's webpages listings for each of their routers, check their latest firmware update release and discover for yourself just how many routers haven't received any updates for years. What's even more shocking is many of these routers CONTINUE to be sold IN STORES and online, often the boxes still claiming how much security they offer when no firmware updates are available for many of them! Many old firmware patches resolve some issues with uPnP but do not offer protection against newer uPnP (and other) attacks!
This is clearly insane!
Router manufacturers should continue to patch old routers, especially those products of theirs still being sold in brick and mortar retail outlets!
This is obviously being swept under the rug, as many individuals who have been screaming on manufacturer's forums, mailing lists, e-mails, even via snail mail are being disregarded, posts/threads being shuffled off quietly, people being told to buy a newer router than the one at the store which claimed to offer a good degree of security, only to find their newer router purchased often with old firmware and no modern firmware available!
Governments and people need to hold these manufacturers accountable!
That's the latest I see too.
My concern with the DIR-655 is that I'm still at v1.21 [HW rev A3]. I've read nothing but nightmare stories of people with perfectly stable 1.2x routers who then upgraded to 1.3X firmwares and had tons of trouble and instability. At v1.21 my router is absolutely rock solid. This is the best, most stable wireless router I've ever had. If the 1.21 firmware is affected, and I'm forced to upgrade to 1.3X and it causes my router to become unstable, I'm going to be PISSED!
I realize I might as well be wishing for a free Ferrari, a Unicorn and a date with Mira Sorvino, but it would be great if D-Link released a 1.2x firmware with just the fix for this issue. Alas, it is unlikely.
Nothing to see here
Does it matter, presuming your computers are all safely configured for direct connection to the net? Or does a vulnerable router mean you're wide open to say a man in the middle attack?
If I read that right I should be fine as long as I secure the user account as well as the admin account. (And, of course, disable remote access.) Can anybody confirm/correct? Thanks.
So, you're surfing from home and you go to a site with a banner and you get a drive by infection.
Now that app can find and configure your firewall to open the port and map it back to you so that you can be used to spread more infections.
Who the fuck thought it would be a good idea to allow other apps to open the firewall?
from routers, switches to cameras, all i have seen is half finished overpriced junk
God's gift to chicks
I reckon it depends on how much you trust your ISP (Is it Comcast? comes to mind), but you could roll your own DNS server.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
Don't feel bad. All I have to contribute is "A stable rev of dd-wrt for the DIR-655 that addresses speed issues with the existing version, and I won't care." (Besides, my wireless routers are behind another unaffected router.)
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
Yeah, why do we always get the lame spam? To me this is just a sign of a lazy spammer. Target your audience spammers! At least offer us dodgy RAM or fake CPUs or something we might actually care about!
ACs don't waste your time replying, your posts are never seen by me.
He didn't even fgsfds right...
Maybe that's why the last DIR-615 was acting strange, I replaced it with another DIR-615 but it has firmware version C1. Guess I'm safe, for now..
"I bow to no man" - Riddick
I wouldn't buy a BRICK from DLink anymore. I have yet to see anything made by them that wasn't the worst I'd ever seen of whatever it was. NICs, routers, switches, whatever, they were all crap, with crap drivers, crap firmware, crap everything. They must have the schmoozingest marketing department ever to still be in business.
D-Link goes ape-shit about home router, really ?
How about freaking professional ISP Access Switches DES-3028, which love to turn themselves into hubs with high probability ?
http://forum.dlink.ru/viewtopic.php?t=96443
http://forum.nag.ru/forum/index.php?showtopic=52882
http://nag.ru/news/15587/
(in russian, use google-translate if must)
instead of learning MACs(48 bit) and VIDs(12 bit) its Broadcom board uses weak 13 bit hash of partial MAC+VID...
guess what happens when its own hash match client's one or several or other switch...
does D-Link, Zyxel and other vendors, who use same board, care about those ?
I know, i know, only russian niggards use them, but DIRs and DGSs is what usually on the other side...
My guess is that they are trying to improve their search results on Google. Yay slashdot as SEO?
Interesting you should say "brick". About a year ago, I updated a DIR-655 with the latest firmware, version 1.20 I believe. It turned the router into a brick. It no longer stored anything - acted like it was working but then you'd reboot and nothing had changed. Couldn't even update it anymore, reflash it or whatever, nothing. A plastic brick.
My recommendation would be not to update a D-Link router at all. The "tech support" from India was no help, and when the call time was approaching the limit, he hurriedly cut me off and wished me luck. They refused to send me an RMA or even talk to me after that.
I eventually bought a new one, stuck the old one in the new box and took it back to the store. At least I have a working router now, which I will never update the firmware on. And a resolve to never by D-Link again.
To get in touch with D-Link you cannot write a email (at least not for Swedish D-Link) or fill in a web form, you have to install a plug-in to your internet explorer 6 or 7 . Thus I have my last D-Link product purchased! D-Link if from now banned on my network! // Linux on all computers at home!