D-Link Warns of Vulnerable Routers

← Back to Stories (view on slashdot.org)

D-Link Warns of Vulnerable Routers

Posted by kdawson on Monday January 18, 2010 @02:53PM from the in-the-front-door dept.

wiedzmin sends in news of a vulnerability in some D-Link home routers. The company has made new firmware available for download. "D-Link announced today that the problem, discovered by security researchers SourceSec, affects three of its wireless routers: DIR-855 (hardware version A2), DIR-655 (versions A1 to A4), and DIR-635 (version B). The problem lies in D-Link's implementation of Cisco's Home Network Administration Protocol, which allows remote router configuration. The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected." SourceSec apparently made their research available, including an exploitation tool, without ever contacting D-Link.

9 of 133 comments (clear)

Min score:

Reason:

Sort:

Wouldn't the responsible thing be... by JoshDD · 2010-01-18 15:00 · Score: 4, Insightful

to contact D-Link first? Maybe D-Link could have updated the firmware before this exploit became public knowledge. I doubt SourceSec cares about D-Links customers.
1. Re:Wouldn't the responsible thing be... by Anonymous Coward · 2010-01-18 15:04 · Score: 4, Insightful
  
  hahahaha
  dlink wouldve done jack shit like every other company without being publicly humiliated.
2. Re:Wouldn't the responsible thing be... by Koby77 · 2010-01-18 15:20 · Score: 4, Insightful
  
  But what does SourceSac get out of the deal? Is the publicity for essentially releasing a 0-day really going to earn them that much money? Despite their brilliance in discovering such a flaw, I'm not sure anyone would want to associate themselves with this company for security. With friends like this....
3. Re:Wouldn't the responsible thing be... by digitalunity · 2010-01-18 15:22 · Score: 4, Interesting
  
  Indeed, this is becoming the reality. Software and hardware vendors have become complacent with the fact that researchers will give them ample time to ignore a problem.
  The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.
  
  --
  You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
4. Re:Wouldn't the responsible thing be... by davester666 · 2010-01-18 15:28 · Score: 4, Interesting
  
  TFA mentions that DLink has published new firmware for the routers already. But I've got a DIR-655/A4, and their support site still only lists firmware from last September (v1.32NA) and the firmware check in the router says it's the latest. Where are these updated firmwares available?
  
  --
  Sleep your way to a whiter smile...date a dentist!
5. Re:Wouldn't the responsible thing be... by Wrath0fb0b · 2010-01-18 17:03 · Score: 4, Insightful
  
  The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.
  
  While that seems reasonable if the vendor either doesn't care or is dragging along on a fix, in this case they didn't even tell the vendor in the first place. Perhaps it's unlikely that DLINK would have responded to the security company but it seems they deserved a chance to do the right thing. It's not that disclosure is wrong, it's just that it's wrong at that stage of the game -- they would have lost nothing by trying to cooperate with D-Link and only disclosing if those lesser steps failed (or took too long). Plus, think about how much worse it sounds:
  "Here's a huge vulnerability that we discovered but didn't tell anyone until now. Surprise!"
  versus
  "Here's a huge vulnerability that we discovered. We went to D-Link 3-4 weeks ago and they wouldn't give us the time of day. Finally, we go through to someone that assigned it a low-priority and has been promising a fix but not delivering. At this point, we are tired of hearing their excuses and we don't think they are interested in fixing it so we are disclosing it."
  TL;DR version: Public disclosure is the last resort, not the first. Carrot first, stick second.
Re:fdsfds by paintballer1087 · 2010-01-18 15:06 · Score: 5, Funny

Because slashdot is the target audience for UGG advertising...
UBICOM Based Routers? by Fnord666 · 2010-01-18 15:19 · Score: 5, Informative
It looks like this might be a broader issue than just DLink routers. Several comments on TFA seem to suggest that the HNAP remote management interface is a part of the SDK for the board used in these routers. This implies that any router based on this board might have this vulnerability. The DD-WRT hardware incompatibility list happens to have a list of routers that use UBICOM boards.
Some other UBICOM based devices listed in TFA's comments include:
- D-Link Wireless 108G Gaming Router
- SMC Barricade SMCWGBR14-N
- Netgear WNDR3700
- ZyXEL's MIMO-N line
--
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Re:Wow. by Anonymous Coward · 2010-01-18 15:40 · Score: 5, Informative

Who could possibly have suspected that silently enabling a "remote management" interface with weak authentication could possibly make a device less secure?
To whose benefit is this HNAC stuff, anyway? It seems to be largely invisible to the user and not aimed at them. Are ISPs supposed to be "managing" our routers now?
a) No, ISPs aren't supposed to manage our routers, which is why HNAP is not supposed to be enabled on the outside facing interface. It isn't enabled on the outside facing interface on D-Link routers either, which is why the vulnerability write up mentions that this is an attack either from the LAN or via cross scripting to be executed via the home user's browser.
b) The benefits of HNAP are very simple: management applications can correctly discover network devices on a home network if they implement HNAP, and can manage the devices via a common protocol. You can install an app on your machine that manages your NAS, your router, your streaming media player and whatever else you have on the network - and you don't have to learn their interfaces but can use one common app to do it all in case you're not too technically inclined.
The protocol itself isn't really that bad of an idea - of course it should be implemented securely and ideally should also offer being disabled on a per device basis.