RealTek SDK Introduces Vulnerability In Some Routers

jones_supa writes: SOHO routers from manufacturers including at least Trendnet and D-Link allow attackers anywhere in the world to execute malicious code on the devices, according to a security advisory issued over the weekend. The remote command-injection vulnerability resides in the "miniigd SOAP service" as implemented by the RealTek SDK. Before someone asks, there is no comprehensive list of manufacturers or models that are affected. Nerds may be able to spot them by using the Metasploit framework to query their router. If the response contains "RealTek/v1.3" or similar, the device is likely vulnerable. For now, the vulnerable routers should be restricted to communicate only with trusted devices. HP's Zero Day Initiative reported the bug confidentially to RealTek in August 2013, but the issue was disclosed 20 months later as no fix has been provided.

Sounds like a good policy anyway.

[ron_ivi]

should be restricted to communicate only with trusted devices

Sounds like a good policy anyway.

Er. 201*4*, no?

[seebs]

TFA says 2014, not 2013. And thus, not 20 months later.

Or maybe support an Open Source option?

[mcrbids]

You could do that, or you could buy a router pre-configured with OSS from the factory. It's not even expensive at ~ $50.

I bought a similar model about a year ago, and its large antennas and decent range/speed make it the best router I've yet had. If it's not even more expensive, why not support a vendor that supports (more) secure, Open Source solutions?

I have no relationship with this vendor other than being a happy customer

Re:Or maybe support an Open Source option?

[amalcolm]

why not support a vendor that supports ... Open Source solutions?

Because open source software sucks balls?

Isn't that a feature ? :)

Re:Why are they allowed to get away with this?

[MechaStreisand]

Liability belongs with the ones making a profit from it, Anonymous Idiot.