D-Link Warns of Vulnerable Routers 133
wiedzmin sends in news of a vulnerability in some D-Link home routers. The company has made new firmware available for download. "D-Link announced today that the problem, discovered by security researchers SourceSec, affects three of its wireless routers: DIR-855 (hardware version A2), DIR-655 (versions A1 to A4), and DIR-635 (version B). The problem lies in D-Link's implementation of Cisco's Home Network Administration Protocol, which allows remote router configuration. The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected." SourceSec apparently made their research available, including an exploitation tool, without ever contacting D-Link.
UBICOM Based Routers? (Score:5, Informative)
It looks like this might be a broader issue than just DLink routers. Several comments on TFA seem to suggest that the HNAP remote management interface is a part of the SDK for the board used in these routers. This implies that any router based on this board might have this vulnerability. The DD-WRT hardware incompatibility list [dd-wrt.com] happens to have a list of routers that use UBICOM boards.
Some other UBICOM based devices listed in TFA's comments include:
Attack is Significant but Will not be Pandemic (Score:4, Informative)
This attack only works when a system on the LAN initiates it.
It is possible to get a system on the lan to initiate it with a DNS rebinding attack and javascript on a malicious web page, but that is far from a trivial attack.
I'm guessing that this is successfully used only in highly targeted attacks.
Re:Bad vendors (Score:3, Informative)
For companies like these, all of the software and hardware is outsourced, right down to the board layouts and case design. I worked with Netgear a while back, and no one who spoke English as a native language had the foggiest clue of what the software did, or even where the source was.
The same was true of Linksys before the Cisco acquisition, though now all of the development is being dragged back in-house, as is Cisco's preference.
These sorts of companies exist purely as marketing and sales, and don't know much about things like security.
Re:Wow. (Score:5, Informative)
Who could possibly have suspected that silently enabling a "remote management" interface with weak authentication could possibly make a device less secure?
To whose benefit is this HNAC stuff, anyway? It seems to be largely invisible to the user and not aimed at them. Are ISPs supposed to be "managing" our routers now?
a) No, ISPs aren't supposed to manage our routers, which is why HNAP is not supposed to be enabled on the outside facing interface. It isn't enabled on the outside facing interface on D-Link routers either, which is why the vulnerability write up mentions that this is an attack either from the LAN or via cross scripting to be executed via the home user's browser.
b) The benefits of HNAP are very simple: management applications can correctly discover network devices on a home network if they implement HNAP, and can manage the devices via a common protocol. You can install an app on your machine that manages your NAS, your router, your streaming media player and whatever else you have on the network - and you don't have to learn their interfaces but can use one common app to do it all in case you're not too technically inclined.
The protocol itself isn't really that bad of an idea - of course it should be implemented securely and ideally should also offer being disabled on a per device basis.
Re:Wouldn't the responsible thing be... (Score:3, Informative)
20 years ago, I would have agreed with you. But I survived the Morris Worm attack back then because I'm paranoid, and repeated attacks since then due to vulnerabilities that vendors refused to address. And the secrecy of such graceful submissions just leaves the knowledge in the hands of the crackers, who share it on their warez sites and IRC channels, and not in the hands of reasonable admins who need to assess the risks of patching and the risks of particular products. I've in fact seen this occurr with CERT, where I and peers have submitted security bug reports and seen them buried. And I've got reports from supervisors of security personnel in the US of vendors slapping them with court orders to prevent publication of the vulnerability.
The kind of gracious pre-notification you are suggesting, in this day and age, needs to be earned. And D-Link hasn't earned it, with their history of GPL violations and delay on publication of security vulnerabilities.