Slashdot Mirror

← Back to Stories (view on slashdot.org)

D-Link Patches Critical Vulnerability In Older Routers

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "D-Link has released firmware patches for a number of its older routers sporting a critical authentication security bypass vulnerability discovered in October. The flaw was discovered and its exploitability proved with a PoC by Tactical Network Solutions' security researcher Craig Heffner. D-Link confirmed the existence of the problem a few weeks later."

54 comments

  1. Well that's good. by johnnys · · Score: 5, Insightful

    Good guy D-Link!!!! It's nice to see a manufacturer actually helping out their customers instead of just making them buy a new router.

    --
    Sometimes the "writing on the wall" is blood spatter...
    1. Re:Well that's good. by Anonymous Coward · · Score: 0

      The NSA will be none too pleased about this.

    2. Re:Well that's good. by pla · · Score: 4, Insightful

      The NSA will be none too pleased about this.

      The NSA wants to have access but keep others out. Known vulnerabilities let the "wrong" spies in. Why do you think *cough* "DLink" *cough* released this patch, anyway?

    3. Re:Well that's good. by Anonymous Coward · · Score: 0

      More Interesting is why did it take them that long to close their own backdoor. Did they made a new one?

    4. Re:Well that's good. by wonkey_monkey · · Score: 1

      a manufacturer actually doing whatever they can to mitigate the bad publicity that goes along with the revelation of a critical security flaw

      FTFY.

      --
      systemd is Roko's Basilisk.
    5. Re:Well that's good. by Anonymous Coward · · Score: 1

      Yay! D-Link fixed a router firmware! Remember this rare occasion. If past experience serves as a guide, best let the pawns upgrade first...

    6. Re:Well that's good. by Almost-Retired · · Score: 1

      Sorry, I don't buy this for more than 10 milliseconds. D-Link customer in Mumbai has an attitude that the customer is a dummy, and when he calls in to get some help with a real problem, he either gets the brushoff, or they ask for the seriel number and suddenly discover the device I bought new from Wally's (I'm out in the puckerbrush, Wally's is as hi-tech as can be driven to locally) a week ago was sold, then returned as defective over a year ago by another dealer , and has been marked as having been destroyed in their records. So I asked for an email confirming it, took the router and the email back to Wally's, got a 100% refund and mail ordered a Buffalo Netfinity that I had to reflash with a real dd-wrt image since their branding covered a menu item I had to have access to.

      The next D-Link product that crosses my threshold will be after I hear reliable reports that hell has frozen over a year ago and pigs are using it for an airport runway. IMO its dd-wrt all the way down.

    7. Re:Well that's good. by Anonymous Coward · · Score: 0

      What no more free wifi?

    8. Re:Well that's good. by thegoldenear · · Score: 1

      According to Wikipedia, DD-WRT haven't put out a stable release since 27 July 2008!

    9. Re:Well that's good. by Almost-Retired · · Score: 1

      Wikipedia is editable by anyone. And no one has come through dd-wrt here that I didn't give them the password to do so. No one. I used to watch the logs while the NK and CN folks hammered on it for hours at a time, but that got boring although I did occasionally cost someone their net account if they were being a big enough pest to DDOS me. Those sorts of attacks have actually decreased, I think they've some sort of a fingerprinting thing now that tells them if its a vulnerable target, so they don't waste a lot of time doing dictionary attacks like they did 5 years ago. The proof is in the results.

      I once bought a Siemans router back in my greenhorn days, lasted about 15 minutes before somebody bricked it. I made circuit city eat that one. I had an old slow wintel box with 2 net cards in it that I ran the X86 version of dd-wrt on for 4 or 5 years, stripped, headless, booted from a CF card switched read only. It Just Worked(TM). And this much lower power consumption Buffalo NetFinity with the real dd-wrt reflashed into it has now been standing guard for about 2 years.

      So all I can say is, let the results be the proof you need.

      Cheers, Gene

  2. Routers impacted by sitkill · · Score: 5, Informative

    Vulnerable devices include D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers.

    1. Re:Routers impacted by Anonymous Coward · · Score: 1

      And what percentage of those do you think will every actually get the update?

    2. Re:Routers impacted by Anonymous Coward · · Score: 0

      Would love to patch mine (DI-604+) but no firmware upgrade available for this model. The solutions presented to me is to not mess with the remote management settings (but yet make sure it is turned off - luckily it is), or buy a new device. Would connect the (newer) wi-fi router as main if I didn't have to reset the poor thing every two weeks (newer isn't always better since I've had no problems with the 604).

  3. That was actually... pretty fast considering... by Anonymous Coward · · Score: 0

    Most people expected them never to get patched _at all_

    1. Re:That was actually... pretty fast considering... by Anonymous Coward · · Score: 0

      The copyright date on the manual for one of those routers was *2002*. Are they really supporting products that old? If so, that's pretty good...

  4. Now the question is.... by Dega704 · · Score: 4, Insightful

    How many of these devices will actually get patched by their users?

    1. Re:Now the question is.... by Anonymous Coward · · Score: 0

      I did .
      D-Link 100

    2. Re:Now the question is.... by kmg90 · · Score: 1

      I wonder what the statistics are across the board for all home routers and whether the owners are updating them when likely... My guess is not the majority

  5. Remote Management by Lieutenant_Dan · · Score: 1

    I mean, who enables remote management of their router?

    I get the fact that sometimes you gotta open stuff up remotely; but in that case, you'd hop onto your jumpbox and then launch a browser to log into your router.

    --
    Wearing pants should always be optional.
    1. Re:Remote Management by xenoc_1 · · Score: 1

      Back in the day, a lot of consumer routers and access points* came out of the box with remote management enabled. It was something that only we geeks knew how to turn off. More importantly, knew why to turn off, and if left on, we had good reason for so doing. With other than the default password. Which leaves the other 99.42% of buyers with it still wide open.

      I remember at least one Linksys and one D-Link out of the half-dozen or so I went through in the late-90's through mid-2000's that defaulted to remote management on. After a while I gave up on them and used a homebuilt low-end desktop running Linux as my router, with good old Speakeasy multiple-fixed-IP DSL, and was a happy geek. I moved to the land of "Qwest or Comcast only", before Speakeasy got BestBought and went to evil shit. But Joe Doakes and Jane Smokes are just using those routers as-purchased.

      As to a downstream comment about "what ISP provides a router?" the answer is "Most DSL, most fiber, and some cable ISPs." Up through mid-2012 when I left the States for good, Comcast in Colorado was still just providing a DOCSIS modem with one ethernet port. While I was unloading my place there I threw an old D-Link "router" (early-N single-band WiFi/router combo, maybe one of those on the list) downstream from it to get actual routing and DHCP. Time Warner Cable in North Carolina, in the late 2000's was still the same thing, just a modem. When I used Qwest-now-CenturyLink in CO and WA, they provided a combo unit that was DSL modem, router, and WiFi all built in.

      So lots of cable modem subscribers have "routers" they bought sitting downstream from their cable modem. Less so, DSL subscribers but some do. A large amoujnt of them may have one of these D-Link units. Thankfully most of those units probably bricked themselves or burnt out by now, but ironically cheapo D-Link routers tended to last a lot longer than their low-end competition. Plenty still trucking along, open to this problem.

      * I'm aware that "router", "access point" are different things and that what most consumers call a "router" is a combination of a router and a wireless access point. Point is, most consumers are not.

  6. What percentage will be upgraded? by bobsacks · · Score: 2

    It's good that the patch is available, but what percentage do you actually think will get fixed? Your average user isn't even going to know how to apply a firmware update much less be aware that they have a vulnerable router and need to update it.

    1. Re:What percentage will be upgraded? by drinkypoo · · Score: 0

      The average user uses the router provided by their ISP; the average ISP provides a wireless connection as well as a wire to the customer. Most of them don't ever buy another router.

      Of those who do, a substantial percentage are the type to know what a firmware update is, and why you would want one.

      Of those who aren't, I suspect (but have no proof) that a substantial percentage are the type to replace their router periodically anyway, to keep up with their new devices. They go to the store and say that they're not getting the speeds they want, the guy in the store tells them they need some new hot shit wifi that will provide real-world improvements of a couple megabits or so, which is probably enough to solve their HD streaming problem, and they take the old router out and stick it in a cardboard box under the stairs full of wires and wall warts that they'll write "make offer" on the next time they have a yard sale.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:What percentage will be upgraded? by garyoa1 · · Score: 2

      What am I missing here? Don't know of any ISP that supplies routers. And even replacing an older router with a faster one won't do a thing for speed. (unless it's bad) Most will handle 10 times the speed that the modem will.

      --
      Wuddooeyeno? IITYWYBMAD? Like nuts? eclecticallyincorrect.com
    3. Re:What percentage will be upgraded? by drinkypoo · · Score: 0

      What am I missing here? Don't know of any ISP that supplies routers.

      What you're missing is knowledge of the topic being discussed. Virtually every broadband internet connection is implemented in this fashion. Whether you get the crappy little DSL modem from ATT or the Xfinity modem from Comcast, you're getting a really crap router with a really crap modem built in; in the former case it's a DSL modem, and in the latter a DOCSIS cable modem. Usually it's no more than 802.11g, but that's adequate for most purposes for users with few wireless devices. The box is installed near the one device to which twisted pair is run, usually the home's most powerful PC, or a gaming device.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:What percentage will be upgraded? by Endloser · · Score: 1

      Recently many major ISPs have started to provide them as part of the contract.
      I can vouch that Verizon and Comcast both provide wireless routers in at least some of their markets.

      But to your point and the dismay of many who seem to know it all, there are still quite a few companies (and one of the above) I can also say the opposite for.
      Not all markets are the same and I know in some Comcast markets they do not provide a wireless router without an additional charge.
      I know ATT and Brighthouse do not offer a wireless router at all in some of their markets.
      As well, Verizon's hardware offerings will vary depending upon market (but I have not found one where the equipment is not offered for at least an additional fee).

      So I guess the sweeping statements that almost all major ISPs provide wireless routers is true.
      But there is a cavaet that it only applies to specific markets.

      (Yes, I know this first hand and not via anecdotes. Full disclosure, I probably work in this industry.)

    5. Re:What percentage will be upgraded? by Endloser · · Score: 1, Flamebait

      There is no such thing as a stupid question. But there are certainly stupid responses. Try and figure out which yours is.

    6. Re:What percentage will be upgraded? by drinkypoo · · Score: 0

      There is no such thing as a stupid question. But there are certainly stupid responses. Try and figure out which yours is.

      Instead, I'm trying to figure out if you're actually a different asshole, or another account of the same asshole, trying to look like a different asshole. But your other comment is utterly devoid of value as it does not, in fact, contain any information on what percentage of customers are provided with routers with wireless modems in them. Further, on a completely snarky tip, even customers who do not receive a wireless router are still going to receive a router in the majority of cases. It won't be a wireless router, but oddly, that was not the question asked.

      Now fuck off, or I shall taunt you a second time.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:What percentage will be upgraded? by bigfinger76 · · Score: 1

      I know of no ISP in the last 5 years that doesn't offer routers. Easy money every month. To not offer them is leaving a lot of cash on the table - these companies know better at this point. I even worked for a local (rural) telecom about 4 years ago, and we offered them then.

    8. Re:What percentage will be upgraded? by drinkypoo · · Score: 0

      You are a very rude and vulgar person. Shame on you.

      You are a coward, not only afraid to log in but also of free expression of the amygdala. Shame on you, and your fear.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    9. Re:What percentage will be upgraded? by Endloser · · Score: 1

      I am a different asshole. That is why I answered the question of the person who you chose to mock in an effort to feel significant.
      Feel free to taunt all you want. My constitution is too great for somethig so insignificant to alter.

    10. Re:What percentage will be upgraded? by Endloser · · Score: 1

      If you are referring to ISP meaning the corporation, I see the same. But if you investigate individual markets you will likely find even many of the large corporations have coverage gaps for leasing certain equipment. And for some reason wifi routers seem to be one of those pieces of equipment.

      Thanks for the intelligent response though. I definitely agree (assuming you are implying this) that in today's day of age most ISPs should take advantage of that easy money. After all, 5 bucks a month on a $40-60 item with a MTBF of 2 years is insane profit.

      (And just so some pedantic person doesn't walk on our kind conversation, yes... ISPs provide routes to all of their customers in good standing. And most have routers built into their CPE gateway devices.)

    11. Re:What percentage will be upgraded? by Anonymous Coward · · Score: 0

      What you're missing is knowledge of the topic being discussed. Virtually every broadband internet connection is implemented in this fashion.

      Some are, some aren't. "Virtually every" is a gross exaggeration, and you have no good reason to act like such a rude snob.

    12. Re:What percentage will be upgraded? by Anonymous Coward · · Score: 0

      Oh wow, what a witty retort.

    13. Re:What percentage will be upgraded? by Obfuscant · · Score: 1

      Recently many major ISPs have started to provide them as part of the contract. I can vouch that Verizon and Comcast both provide wireless routers in at least some of their markets.

      Comcast would happily rent me one of their routers, and I'm beginning to see their wireless routers litter the RF landscape near my house.

      Charter Cable would also enable the wireless features on the router I have through them. They apparently stock and install one cable modem/wire+wireless router and then enable what you pay for.

      Personally, I bought the cable modem for my Comcast connection, and run a D-Link wire-only router behind it for routing. And then whatever wireless router I feel like behind that. That means I have a firmware update to do tonight.

      I wonder if the firmware update will fix a different problem I've discovered? My "router" will happily route non-routeable addresses from the LAN to WAN side. I was setting up some HSMM-MESH hardware using a different net than my home systems and I wanted to nmap them to see what was open. Imagine my surprise when a "Motorola CHS" MAC address responded to the non-routeable address I had assigned one of my MESH boxes. And kept responding after I turned the MESH router off.

    14. Re:What percentage will be upgraded? by petermgreen · · Score: 1

      What am I missing here? Don't know of any ISP that supplies routers.

      Maybe this is a regional thing, round here pretty much every ISP either gives you a router or tries to sell you one when you sign up for service. Some even insist on you using it.

      And even replacing an older router with a faster one won't do a thing for speed. (unless it's bad) Most will handle 10 times the speed that the modem will.

      It depends, if you are on ADSL or a slow cable package then it's not going to make much difference.

      As you move up to high end cable or FTTC+VDSL services then older routers can certainly become a bottleneck and if you move up to FTTH services then you will allmost certainly need a new router to avoid bottlenecking the connection.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    15. Re:What percentage will be upgraded? by Endloser · · Score: 1

      In fact "virtually every" can be considered "virtually incorrect". Seeing you discuss it as a "gross exhaggeration" and not blowing it off as a total troll made me realize that maybe some people have a perspective that only consumer devices connect to the Internet. And for those people I would just like to point out that the majority of the infrastructure that consumer devices are browsing is connected to the Internet over a physical medium (with a great number still on a base to broad setup).

      However there are also a good deal of devices I don't think people usually realize are connected to the Internet with some multi-channel comms in there.
      -Your cable set top box may be connected. These are ever increasing in popularity, as it is the perfect place to stick a little DOCSIS modem.
      -Lots of gamers wouldn't be caught dead running their consoles over WiFi.
      -Home security systems frequently traverse broadband over a direct/intermediary DOCSIS modem with cellular backup.
      -Traffic signals and street lights in many municipalities are controlled via the MAN and can be accessed directly from / have direct access to the Internet.
      -The same goes for red light cameras.
      -To a similar effect, in the private sector, there are tons of CCTV systems that have a recorder which provides Internet access.
      -Al Gore. (I probably made that up.)
      -And to those who don't work in office buildings, let's not forget that there are still thousands of computers sitting under desks.

      So while wireless technology has really taken off, we shouldn't write off just how many devices connect to the Internet over a Copper/Fiber interface.

  7. Level of difference made : next to none. by richy+freeway · · Score: 4, Insightful

    How many people will actually apply this firmware update? 90% of people plug their router in, hook their equipment up to it and leave it that way until it breaks, then they replace it.

    1. Re:Level of difference made : next to none. by Anonymous Coward · · Score: 3, Insightful

      That is not the point. This release is about patching there corporate image, not the firmware.

    2. Re:Level of difference made : next to none. by Arker · · Score: 1

      "How many people will actually apply this firmware update? 90% of people plug their router in, hook their equipment up to it and leave it that way until it breaks, then they replace it."

      This has broader applicability as well. No matter how much software people may wish otherwise, people treat their hardware like a black box and it makes no sense to them for it to be changing after the fact.

      So you have massive vulnerabilities in just about anything ever shipped, because of the way software is developed. (There are other ways to develop, but essentially no one wants to hear about them, because they are slower.) Security depends on updates being applied quickly, yet this is always going to be problematic. Relying on the customer to apply an update (particularly one that has warnings about bricking your box on it) on time is ludicrous in most cases, yet any sort of automatic update system that does not rely on the user to make judgements is just another huge surface for vulnerabilities as well.

      Put it all together and security is usually a bad joke.

      --
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Friends don't let friends enable ecmascript.
    3. Re:Level of difference made : next to none. by roc97007 · · Score: 1

      Can't say, but I can state positively that all of my customers who are currently on a d-link will be upgraded. It's in my best interest, as I'd have to repair the damage if they get compromised.

      --
      Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    4. Re:Level of difference made : next to none. by H0p313ss · · Score: 1

      Put it all together and security is usually a bad joke.

      Always act and behave as if there is no security for any device with a network connection, everything else is just some form of wishful thinking.

      --
      XML is a known as a key material required to create SMD: Software of Mass Destruction
    5. Re:Level of difference made : next to none. by Anonymous Coward · · Score: 0

      My guess is that their lawyers and beancounters just saw an outside possibility of legal liability and that this might mitigate the costs.

    6. Re:Level of difference made : next to none. by jones_supa · · Score: 1

      That is not the point. This release is about patching there corporate image, not the firmware.

      Well, then they are doing a good job because in my eyes a company that properly supports hardware, does have a better image.

    7. Re:Level of difference made : next to none. by Anonymous Coward · · Score: 0

      A good job is supporting your hardware pro-actively, without the threat of a public backlash generated by an extraordinary amount of publicity, regarding extremely stupid mistakes.

      This fast release for old products is completely out of character, it has "damage control" written all over it.

    8. Re:Level of difference made : next to none. by Anonymous Coward · · Score: 0

      How many people will actually apply this firmware update? 90% of people plug their router in, hook their equipment up to it and leave it that way until it breaks, then they replace it.

      And it won't fix the problem for those people. I still appreciate that they make it possible for the customer to fix the problem.

      It would have been better if the product wasn't faulty to begin with but making a fix available is clearly the right thing to do. The only thing better would have been to also offer a replacement router for the less tech savvy people.

  8. Another bug... by Anonymous Coward · · Score: 3, Informative

    Now they've to patch this... http://www.h725.co.vu/2013/11/d-link-whats-wrong-with-you.html

    1. Re:Another bug... by Zedrick · · Score: 2

      Spread it on facebook, twitter etc and they'll do something about it. They don't lift a finger until the marketing department takes notice.

      What's wrong with D-Link... well. I worked for D-Link support a long time ago, but it looks like nothing has changed. The people in Taiwan are doing their thing, and there's a lot of layers between them and the end user. I might still be bound by some kind of contract blaha, but one example: they refused to release the gpl'ed firmware sources to customers until I first reported them to the wall of shame on busybox.net, then reported it that my bosses and eventually got them to do something because it looked bad.

    2. Re:Another bug... by enoz · · Score: 1

      Late in 2009 I had the opportunity to setup a brand new D-Link DAP 1522 access point and I discovered a telnet interface with hardcoded credentials in the firmware. I have never disclosed the vulnerability to the vendor or publicly. Four years later the issue is still there on most D-Link SOHO network devices.

      (emphasis mine)

      I don't doubt the existence of this vulnerability, just the motives and timing behind disclosing publicly on this blog.

  9. Changelog by Anonymous Coward · · Score: 0

    Just looked at the DIR-100 blob.

    Old user-agent: xmlset_roodkcableoj28840ybtide
    New user-agent: iNteLalsEtvaLuewitHoutnAme

    (Disclaimer: Yes, /bin/webs was touched too. But looking at /etc/wdhttp.sh I have no hopes for a fix that deserves that name: http://pastebin.com/QVLr7CMM )

    1. Re:Changelog by Anonymous Coward · · Score: 0

      Oh, and note that the files are dated October, 17. So it took them five days to patch the issue, but over a month to release a new firmware (which was announced for early November, by the way).

  10. Are you sure that's it? by Anonymous Coward · · Score: 0

    I look through my spare routers pile and visited all of my DLink devices' firmware pages. However, all I see are "updated" firmwares (at least dated 2013) with the same versions. So, either D-Link is lazy in updating the version number, or they screwed up their last modified time for these firmwares.

  11. Who Buys D-Link Anyway? by Anonymous Coward · · Score: 0

    They and Belkin pretty much are the suck.