D-Link Warns of Vulnerable Routers

← Back to Stories (view on slashdot.org)

D-Link Warns of Vulnerable Routers

Posted by kdawson on Monday January 18, 2010 @02:53PM from the in-the-front-door dept.

wiedzmin sends in news of a vulnerability in some D-Link home routers. The company has made new firmware available for download. "D-Link announced today that the problem, discovered by security researchers SourceSec, affects three of its wireless routers: DIR-855 (hardware version A2), DIR-655 (versions A1 to A4), and DIR-635 (version B). The problem lies in D-Link's implementation of Cisco's Home Network Administration Protocol, which allows remote router configuration. The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected." SourceSec apparently made their research available, including an exploitation tool, without ever contacting D-Link.

23 of 133 comments (clear)

Min score:

Reason:

Sort:

Wouldn't the responsible thing be... by JoshDD · 2010-01-18 15:00 · Score: 4, Insightful

to contact D-Link first? Maybe D-Link could have updated the firmware before this exploit became public knowledge. I doubt SourceSec cares about D-Links customers.
1. Re:Wouldn't the responsible thing be... by Anonymous Coward · 2010-01-18 15:04 · Score: 4, Insightful
  
  hahahaha
  dlink wouldve done jack shit like every other company without being publicly humiliated.
2. Re:Wouldn't the responsible thing be... by h4rr4r · 2010-01-18 15:11 · Score: 2, Insightful
  
  All that would have earned them is a lawsuit. Plus Dlink would never have fixed it.
3. Re:Wouldn't the responsible thing be... by Anonymous Coward · 2010-01-18 15:14 · Score: 2, Insightful
  
  I don't think anyone on the planet can find a D-Link security contact. More responsible companies make this easy.
4. Re:Wouldn't the responsible thing be... by Koby77 · 2010-01-18 15:20 · Score: 4, Insightful
  
  But what does SourceSac get out of the deal? Is the publicity for essentially releasing a 0-day really going to earn them that much money? Despite their brilliance in discovering such a flaw, I'm not sure anyone would want to associate themselves with this company for security. With friends like this....
5. Re:Wouldn't the responsible thing be... by digitalunity · 2010-01-18 15:22 · Score: 4, Interesting
  
  Indeed, this is becoming the reality. Software and hardware vendors have become complacent with the fact that researchers will give them ample time to ignore a problem.
  The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.
  
  --
  You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
6. Re:Wouldn't the responsible thing be... by davester666 · 2010-01-18 15:28 · Score: 4, Interesting
  
  TFA mentions that DLink has published new firmware for the routers already. But I've got a DIR-655/A4, and their support site still only lists firmware from last September (v1.32NA) and the firmware check in the router says it's the latest. Where are these updated firmwares available?
  
  --
  Sleep your way to a whiter smile...date a dentist!
7. Re:Wouldn't the responsible thing be... by Wrath0fb0b · 2010-01-18 16:44 · Score: 2, Insightful
  
  dlink wouldve done jack shit like every other company without being publicly humiliated.
  
  Yes, but it would have been even more humiliating to say "We provided them with an exploit 4 weeks ago and they still haven't done shit, so now we are going public". That has the added advantage of giving them the chance to do the right thing, even if they don't take it and makes them look like douches instead of the security company.
8. Re:Wouldn't the responsible thing be... by Wrath0fb0b · 2010-01-18 17:03 · Score: 4, Insightful
  
  The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.
  
  While that seems reasonable if the vendor either doesn't care or is dragging along on a fix, in this case they didn't even tell the vendor in the first place. Perhaps it's unlikely that DLINK would have responded to the security company but it seems they deserved a chance to do the right thing. It's not that disclosure is wrong, it's just that it's wrong at that stage of the game -- they would have lost nothing by trying to cooperate with D-Link and only disclosing if those lesser steps failed (or took too long). Plus, think about how much worse it sounds:
  "Here's a huge vulnerability that we discovered but didn't tell anyone until now. Surprise!"
  versus
  "Here's a huge vulnerability that we discovered. We went to D-Link 3-4 weeks ago and they wouldn't give us the time of day. Finally, we go through to someone that assigned it a low-priority and has been promising a fix but not delivering. At this point, we are tired of hearing their excuses and we don't think they are interested in fixing it so we are disclosing it."
  TL;DR version: Public disclosure is the last resort, not the first. Carrot first, stick second.
9. Re:Wouldn't the responsible thing be... by DigiShaman · 2010-01-18 18:19 · Score: 2, Interesting
  
  I pulled a reverse DNS lookup on it. It's static, and points back to servage.net in Germany. But wait, there's more...
  Look at all of these registered Domains and where they point to. http://www.robtex.com/ip/77.232.92.199.html
  Clearly the AC wanted readers on Slashdot to become useful idiots in a DOS attack. Not me.
  
  --
  Life is not for the lazy.
10. Re:Wouldn't the responsible thing be... by wvmarle · 2010-01-18 18:26 · Score: 2, Interesting
  
  If that is true, then just publishing it is the only way to go. And that would indeed show stupid arrogance on the side of D-Link (in this case), and will come back to haunt them.
  However I still think it would be nicer to first notify D-Link, followed by full disclosure after a reasonable time (which I think is no more than 30 days). That should allow D-Link to come up with a fix in time. If D-Link doesn't then it's time to put them to shame.
11. Re:Wouldn't the responsible thing be... by Anonymous Coward · 2010-01-18 18:33 · Score: 2, Interesting
  
  Have you ever tried to contact D-Link? Remember, they have DDOS'd NTP servers, and they continue to publish BUGGY dynamic DNS clients even when given bug reports.
  D-Link outsources their routers to 3rd parties. The developers can not follow bug reports unless, sadly, they are written in Mandarin or Simple Chinese. And unless the bug report is blindingly and stupidly obvious (or on Slashdot), there's no one at D-Link US headquarters who cares enough to start a billable conversation with the contract developers. Don't expect D-Link QA in India to catch it - D-Link USA did not put this in the test plan! And the router tech support (all outsourced to India) doesn't gain anything by presenting issues back to Corporate.
  Yes, I've worked with D-Link in one of the above scenarios. The best way to contact them is via a non-company contact, such as one of their major shareholders. I'm not fucking kidding either.
  I'm posting this anonymously because my employer is one of the above mentioned groups, and for years we have been TRYING to get D-Link to fix bugs in their software which affect us.
12. Re:Wouldn't the responsible thing be... by BitZtream · 2010-01-18 18:39 · Score: 2, Interesting
  
  If by work you mean makes it easy for people to get exploited for no good reason other than 'to make a point (i.e. get some publicity)' then sure it works, as far as protecting people, no it doesn't.
  Instead of the potential that a few people may have found the exploit and may be exploiting it, you instead have lots of people most certainly do know about it, including the ones who are most certainly going to take advantage of it. Whats better is that the likely hood of these devices EVER being updated by the majority of their users is as close to less than 0 as you can possibly get. No nag screens or auto-updates for this one, no one outside the geek community is going to even know about it.
  It isnt' counter intuitive, its being an attention grabbing douche bag using the name of security as an excuse to gather publicity.
  Try to cover it in roses all day long and in the end this behavior will STILL BE BULLSHIT. Get a clue.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
13. Re:Wouldn't the responsible thing be... by Anonymous Coward · 2010-01-18 18:49 · Score: 2, Interesting
  
  Indeed, this is becoming the reality. Software and hardware vendors have become complacent with the fact that researchers will give them ample time to ignore a problem.
  The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.
  ... and how do you explain the release of the handy-dandy exploit tool along with the "disclosure"?
  I smell a rat here.
  1. No notification at all, not even a couple days.
  2. They release not only the problem, but also a TOOL so it can be immediately exploited. (incite FUD)
  3. Report that ALL devices since 2006 have this issue. In reality, only a very small number have the issue (people who specifically updated on their own). (FUD ^2)
  4. Have a fixed firmware already setup to be installed, since D-Link won't be able to get one out for at least a few days.
  Which seems to lead up to a pretty nifty way for someone to get a LOT of malicious firmware installed in a lot of D-Link routers that weren't even vulnerable in the first place. Now I haven't grabbed it yet to see if it's up to any tricks or not. And even if it's "legit", that just means someone at this company either has a hard-on to trash D-Link, or figured a way to profit from a drop in their stock prices.
14. Re:Wouldn't the responsible thing be... by Antique+Geekmeister · 2010-01-18 23:02 · Score: 2, Informative
  
  20 years ago, I would have agreed with you. But I survived the Morris Worm attack back then because I'm paranoid, and repeated attacks since then due to vulnerabilities that vendors refused to address. And the secrecy of such graceful submissions just leaves the knowledge in the hands of the crackers, who share it on their warez sites and IRC channels, and not in the hands of reasonable admins who need to assess the risks of patching and the risks of particular products. I've in fact seen this occurr with CERT, where I and peers have submitted security bug reports and seen them buried. And I've got reports from supervisors of security personnel in the US of vendors slapping them with court orders to prevent publication of the vulnerability.
  The kind of gracious pre-notification you are suggesting, in this day and age, needs to be earned. And D-Link hasn't earned it, with their history of GPL violations and delay on publication of security vulnerabilities.
15. Re:Wouldn't the responsible thing be... by Anonymous Coward · 2010-01-19 00:25 · Score: 2, Interesting
  
  It probably has more to do with the fact that SourceSec isn't a security firm. It's an exploit blog. The whole purpose is the launch everything as 0-Day so script kiddies can get out there and use it, making companies look like fools.
  Make no mistake, these are the bad guys, they just dress up what they to do have an air of professionalism about it.
Wow. by fuzzyfuzzyfungus · 2010-01-18 15:05 · Score: 2, Interesting

Who could possibly have suspected that silently enabling a "remote management" interface with weak authentication could possibly make a device less secure?

To whose benefit is this HNAC stuff, anyway? It seems to be largely invisible to the user and not aimed at them. Are ISPs supposed to be "managing" our routers now?
1. Re:Wow. by Anonymous Coward · 2010-01-18 15:40 · Score: 5, Informative
  
  Who could possibly have suspected that silently enabling a "remote management" interface with weak authentication could possibly make a device less secure?
  To whose benefit is this HNAC stuff, anyway? It seems to be largely invisible to the user and not aimed at them. Are ISPs supposed to be "managing" our routers now?
  a) No, ISPs aren't supposed to manage our routers, which is why HNAP is not supposed to be enabled on the outside facing interface. It isn't enabled on the outside facing interface on D-Link routers either, which is why the vulnerability write up mentions that this is an attack either from the LAN or via cross scripting to be executed via the home user's browser.
  b) The benefits of HNAP are very simple: management applications can correctly discover network devices on a home network if they implement HNAP, and can manage the devices via a common protocol. You can install an app on your machine that manages your NAS, your router, your streaming media player and whatever else you have on the network - and you don't have to learn their interfaces but can use one common app to do it all in case you're not too technically inclined.
  The protocol itself isn't really that bad of an idea - of course it should be implemented securely and ideally should also offer being disabled on a per device basis.
Re:fdsfds by paintballer1087 · 2010-01-18 15:06 · Score: 5, Funny

Because slashdot is the target audience for UGG advertising...
UBICOM Based Routers? by Fnord666 · 2010-01-18 15:19 · Score: 5, Informative
It looks like this might be a broader issue than just DLink routers. Several comments on TFA seem to suggest that the HNAP remote management interface is a part of the SDK for the board used in these routers. This implies that any router based on this board might have this vulnerability. The DD-WRT hardware incompatibility list happens to have a list of routers that use UBICOM boards.
Some other UBICOM based devices listed in TFA's comments include:
- D-Link Wireless 108G Gaming Router
- SMC Barricade SMCWGBR14-N
- Netgear WNDR3700
- ZyXEL's MIMO-N line
--
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
DGL-4500 users left screwed by DigiShaman · 2010-01-18 15:29 · Score: 2, Interesting

If anyone has a DGL-4500 router, and experiences constant lockups with it (forced to power cycle the unit); your not alone. Apparently, there is a bug with DNS forwarding that started with firmware rev 1.21. It's been since July 2009, and the best you can hope for is an update still in beta. We are talking about their newest high-end gaming router here with extra features that make a nice small office router too.
As it stands, users of this model are furious. Some are threatening a class-action lawsuit against them. By all means, please read through the D-Link forum before you think about buying one of their products.
http://forums.dlink.com/index.php?board=144.0

--
Life is not for the lazy.
Attack is Significant but Will not be Pandemic by phantomcircuit · 2010-01-18 15:37 · Score: 3, Informative

This attack only works when a system on the LAN initiates it.
It is possible to get a system on the lan to initiate it with a DNS rebinding attack and javascript on a malicious web page, but that is far from a trivial attack.
I'm guessing that this is successfully used only in highly targeted attacks.
Re:Bad vendors by abigor · 2010-01-18 15:39 · Score: 2, Informative

For companies like these, all of the software and hardware is outsourced, right down to the board layouts and case design. I worked with Netgear a while back, and no one who spoke English as a native language had the foggiest clue of what the software did, or even where the source was.
The same was true of Linksys before the Cisco acquisition, though now all of the development is being dragged back in-house, as is Cisco's preference.
These sorts of companies exist purely as marketing and sales, and don't know much about things like security.