Forgot your password?
typodupeerror
Bug Security IT

D-Link Warns of Vulnerable Routers 133

Posted by kdawson
from the in-the-front-door dept.
wiedzmin sends in news of a vulnerability in some D-Link home routers. The company has made new firmware available for download. "D-Link announced today that the problem, discovered by security researchers SourceSec, affects three of its wireless routers: DIR-855 (hardware version A2), DIR-655 (versions A1 to A4), and DIR-635 (version B). The problem lies in D-Link's implementation of Cisco's Home Network Administration Protocol, which allows remote router configuration. The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected." SourceSec apparently made their research available, including an exploitation tool, without ever contacting D-Link.
This discussion has been archived. No new comments can be posted.

D-Link Warns of Vulnerable Routers

Comments Filter:
  • by JoshDD (1713044) on Monday January 18, 2010 @11:00PM (#30815612)
    to contact D-Link first? Maybe D-Link could have updated the firmware before this exploit became public knowledge. I doubt SourceSec cares about D-Links customers.
    • by Anonymous Coward on Monday January 18, 2010 @11:04PM (#30815632)

      hahahaha
      dlink wouldve done jack shit like every other company without being publicly humiliated.

      • by Koby77 (992785) on Monday January 18, 2010 @11:20PM (#30815738)
        But what does SourceSac get out of the deal? Is the publicity for essentially releasing a 0-day really going to earn them that much money? Despite their brilliance in discovering such a flaw, I'm not sure anyone would want to associate themselves with this company for security. With friends like this....
        • by Sir_Lewk (967686)

          You are not very familar with the security scene are you? This is just how things operate, hardly anything new.

        • Reputation, my friend, reputation.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          It probably has more to do with the fact that SourceSec isn't a security firm. It's an exploit blog. The whole purpose is the launch everything as 0-Day so script kiddies can get out there and use it, making companies look like fools.

          Make no mistake, these are the bad guys, they just dress up what they to do have an air of professionalism about it.

      • by digitalunity (19107) <digitalunity.yahoo@com> on Monday January 18, 2010 @11:22PM (#30815744) Homepage

        Indeed, this is becoming the reality. Software and hardware vendors have become complacent with the fact that researchers will give them ample time to ignore a problem.

        The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.

        • by Wrath0fb0b (302444) on Tuesday January 19, 2010 @01:03AM (#30816234)

          The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.

          While that seems reasonable if the vendor either doesn't care or is dragging along on a fix, in this case they didn't even tell the vendor in the first place. Perhaps it's unlikely that DLINK would have responded to the security company but it seems they deserved a chance to do the right thing. It's not that disclosure is wrong, it's just that it's wrong at that stage of the game -- they would have lost nothing by trying to cooperate with D-Link and only disclosing if those lesser steps failed (or took too long). Plus, think about how much worse it sounds:

          "Here's a huge vulnerability that we discovered but didn't tell anyone until now. Surprise!"

          versus

          "Here's a huge vulnerability that we discovered. We went to D-Link 3-4 weeks ago and they wouldn't give us the time of day. Finally, we go through to someone that assigned it a low-priority and has been promising a fix but not delivering. At this point, we are tired of hearing their excuses and we don't think they are interested in fixing it so we are disclosing it."

          TL;DR version: Public disclosure is the last resort, not the first. Carrot first, stick second.

          • Re: (Score:3, Informative)

            20 years ago, I would have agreed with you. But I survived the Morris Worm attack back then because I'm paranoid, and repeated attacks since then due to vulnerabilities that vendors refused to address. And the secrecy of such graceful submissions just leaves the knowledge in the hands of the crackers, who share it on their warez sites and IRC channels, and not in the hands of reasonable admins who need to assess the risks of patching and the risks of particular products. I've in fact seen this occurr with C

            • by Tim C (15259)

              The kind of gracious pre-notification you are suggesting, in this day and age, needs to be earned. And D-Link hasn't earned it, with their history of GPL violations and delay on publication of security vulnerabilities.

              And their customers, what have they done to earn the inevitable increase in attacks, other than to not know better than to buy D-Link products?

              • And their customers deserve to be vulnerable for weeks or months longer if D-Link lags in producing an update or patch? Or not to be notified that they can simply turn off remote administration in the short term? No, leaving them vulnerable this way is a frequent problem with many software packages, and we as customers don't deserve to not be notified of these issues.

              • by Ltap (1572175)
                It would have got out somehow, better a public announcement that will mean a quick patch than for it to slip out without D-Link knowing.
          • by Aladrin (926209)

            This isn't about carrot and stick. The people that discovered this get nothing from it. They aren't the owners of the company, they don't work for the company, and they probably don't even use the products in question.

            In fact, the only thing these people -do- get is recognition that they found some serious flaws in other peoples' stuff. And they get that whether they work with the companies or not. (Sadly, they get -far- more attention if they don't work with the companies, so that gives them a push tow

          • by Hatta (162192)

            It's not that disclosure is wrong, it's just that it's wrong at that stage of the game -- they would have lost nothing by trying to cooperate with D-Link and only disclosing if those lesser steps failed (or took too long).

            They would have lost time. Any time you wait for the vendor to address the issue (at their leisure) is time the black hats are exploiting the vulnerability freely. Announce the vulnerability immediately so those affected can take measures to limit their exposure. That is responsible dis

        • Re: (Score:3, Interesting)

          by BitZtream (692029)

          If by work you mean makes it easy for people to get exploited for no good reason other than 'to make a point (i.e. get some publicity)' then sure it works, as far as protecting people, no it doesn't.

          Instead of the potential that a few people may have found the exploit and may be exploiting it, you instead have lots of people most certainly do know about it, including the ones who are most certainly going to take advantage of it. Whats better is that the likely hood of these devices EVER being updated by th

          • by Ltap (1572175)
            These are routers that would have had to have their firmware updated, as the update (from TFS) introduced the vulnerability. So yes, these are geeks that are in danger, ones who would be willing to update again.
        • Re: (Score:2, Interesting)

          by Anonymous Coward

          Indeed, this is becoming the reality. Software and hardware vendors have become complacent with the fact that researchers will give them ample time to ignore a problem.

          The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.

          ... and how do you explain the release of the handy-dandy exploit tool along with the "disclosure"?

          I smell a rat here.

          1. No notification at all, not even a couple days.
          2. They release not only the problem, but also a TOOL so it can be immediately exploited. (incite FUD)
          3. Report that ALL devices since 2006 have this issue. In reality, only a very small number have the issue (people who specifically updated on their own). (FUD ^2)
          4. Have a fixed firmware already setup to be installed, since D-Link won't be a

          • by unixfan (571579)

            Agreed. Also some of the above posts are nothing but weak excuses for creating a problem. On top of it it's not the manufacturer who's at particular risk, it's all the users. One does the right thing regardless of the other party. Which should be a natural point of integrity for any person.

      • Re: (Score:3, Insightful)

        by Wrath0fb0b (302444)

        dlink wouldve done jack shit like every other company without being publicly humiliated.

        Yes, but it would have been even more humiliating to say "We provided them with an exploit 4 weeks ago and they still haven't done shit, so now we are going public". That has the added advantage of giving them the chance to do the right thing, even if they don't take it and makes them look like douches instead of the security company.

        • It also gives them the "chance" to slap you with a court order to shut you up. Take a look at the history of the "8lgm", or "eight-legged groove machine". Their old site is at http://www.8lgm.org/ [8lgm.org]: it's a fascinating bit of security and legal history.

        • by Chas (5144)

          No, that just gives them time to draft the restraining order.

        • I remember once a guy found a vulnerability in some electro-mechanical door locks (can't remember exactly what it was but I remember it was super easy to pull off and could cause the locks to get stuck in an unlocked state without giving any warning). He said he would only release the info to the manufacturer if they promised to replace all the locks in question free of cost to the owners. They didn't, so he publicized the vulnerability and the company was rightly shamed.

          I thought that was a good way of goi

      • I can't prove a negative but I'd like to think they would have patched it and publicized it if given the opportunity. This company just wants free /. pub, and it's working.
      • Actually DLink seems pretty good at keeping their products patched. Not as quickly as Multitech mind you (who've created custom test firmwares for me by E-mail), but still quite responsive.

        • by Ltap (1572175)
          I must admit, I don't know how you have the balls to install beta firmware, I don't think I could...
    • Re: (Score:3, Insightful)

      by h4rr4r (612664)

      All that would have earned them is a lawsuit. Plus Dlink would never have fixed it.

      • Re: (Score:3, Interesting)

        by wvmarle (1070040)

        If that is true, then just publishing it is the only way to go. And that would indeed show stupid arrogance on the side of D-Link (in this case), and will come back to haunt them.

        However I still think it would be nicer to first notify D-Link, followed by full disclosure after a reasonable time (which I think is no more than 30 days). That should allow D-Link to come up with a fix in time. If D-Link doesn't then it's time to put them to shame.

        • by h4rr4r (612664)

          Except that the lawsuit would have of course come with a gag order, thus foiling your brilliant plan.

          • by wvmarle (1070040)

            Then start publishing the fact that you found a 0-day vulnerability, that supplier of said software/device is unwilling to fix it, and instead sued you and put you under a gag order that prevents full disclosure of the actual vulnerability - and suggest that it is just a matter of time before the black-hats find out as well, and that everyone is at risk. That's pretty much what I recall Google has done before ("we are forced to remove several links from your search results, click here to see which links tha

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      I don't think anyone on the planet can find a D-Link security contact. More responsible [microsoft.com] companies [apple.com] make this easy.
    • Re: (Score:2, Insightful)

      by OverlordQ (264228)

      So, is it irony that their site links to "Ethical Hacker Network"?

    • by davester666 (731373) on Monday January 18, 2010 @11:28PM (#30815784) Journal

      TFA mentions that DLink has published new firmware for the routers already. But I've got a DIR-655/A4, and their support site still only lists firmware from last September (v1.32NA) and the firmware check in the router says it's the latest. Where are these updated firmwares available?

      • The way I'm reading it, they mean the company that found the problem has published its own bootleg patch. I don't think D-Link has done anything. And if I were you, I wouldn't broadcast the fact I had that router.
        • No sane admin would ever allow remote router configuration anyway, so admitting the use of a router that has a remote exploit, is not really a problem. It is allowing the remote access to begin with.
          • by jimicus (737525)

            You'd better tell all the ISPs that. I know of at least one that thinks they can safely reconfigure a router remotely.

            • And I know a stack of corporate and educational sites, and household setups, that allow this. Some consider their internal machines secure (which they are not), others consider the "open environment" more important, others consider the ease of remote access for their single admin or their often telecommuting key technical admin more important.

      • That's the latest I see too.

        My concern with the DIR-655 is that I'm still at v1.21 [HW rev A3]. I've read nothing but nightmare stories of people with perfectly stable 1.2x routers who then upgraded to 1.3X firmwares and had tons of trouble and instability. At v1.21 my router is absolutely rock solid. This is the best, most stable wireless router I've ever had. If the 1.21 firmware is affected, and I'm forced to upgrade to 1.3X and it causes my router to become unstable, I'm going to be PISSED!

        I realize I

        • by Aladrin (926209)

          I upgraded my DIR655 to the latest and started having a lot of trouble. Then I turned off the internal DNS server and POOF, everything was great again. if you hvae trouble after the upgrade that is obviously coming, put that on your list of things to try when you have weird issues.

        • by multisync (218450)

          I know the bug you're talking about, that seems to be more common with firmware versions later than 1.21. Connection to the outside slows to a crawl, then stops altogether. You can still talk to other machines on the LAN, but you can't get to the router's management page, so the only thing you can do is reset the device.

          I've had this problem even with version 1.21 of the firmware, but the frequency has gone down dramatically over the past few months. I've only had to reset it once since the new year, so I a

      • by Farhood (975274)

        Gimme a minute to RTFA, and I'll check your router for you.

      • by Carewolf (581105)

        I see a beta version 1.31EUb02 listed from the 18/1 with the specific changelog of fixing this vulnerability.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Have you ever tried to contact D-Link? Remember, they have DDOS'd NTP servers, and they continue to publish BUGGY dynamic DNS clients even when given bug reports.

      D-Link outsources their routers to 3rd parties. The developers can not follow bug reports unless, sadly, they are written in Mandarin or Simple Chinese. And unless the bug report is blindingly and stupidly obvious (or on Slashdot), there's no one at D-Link US headquarters who cares enough to start a billable conversation with the contract develope

    • by Chas (5144)

      No. DLink's response to everything consumer-grade is is thus.

      1. Act dumb (well, they're not REALLY acting)
      2. Sit on hands
      3. Offer an exchange
      4. Hope the problem customer just "goes away".

      Years of experience with trying to get them to actually SUPPORT the crap they ship has taught me this.

      Their "pro grade" support is SLIGHTLY better. But it's the difference between getting a root canal with no pain killers and getting a root canal with no pain killers while being repeatedly kneed in the nuts (which is ESPECIA

  • Bad vendors (Score:1, Insightful)

    by Anonymous Coward

    I don't blame them. Finding security contacts for consumer hardware companies is next to impossible.

    Whether it is D-Link, Belkin, Netgear - I don't believe any of them have a public security page similar to any major software vendors.

    • Re: (Score:3, Informative)

      by abigor (540274)

      For companies like these, all of the software and hardware is outsourced, right down to the board layouts and case design. I worked with Netgear a while back, and no one who spoke English as a native language had the foggiest clue of what the software did, or even where the source was.

      The same was true of Linksys before the Cisco acquisition, though now all of the development is being dragged back in-house, as is Cisco's preference.

      These sorts of companies exist purely as marketing and sales, and don't know

  • Wow. (Score:3, Interesting)

    by fuzzyfuzzyfungus (1223518) on Monday January 18, 2010 @11:05PM (#30815646) Journal
    Who could possibly have suspected that silently enabling a "remote management" interface with weak authentication could possibly make a device less secure?

    To whose benefit is this HNAC stuff, anyway? It seems to be largely invisible to the user and not aimed at them. Are ISPs supposed to be "managing" our routers now?
    • Re:Wow. (Score:5, Informative)

      by Anonymous Coward on Monday January 18, 2010 @11:40PM (#30815866)

      Who could possibly have suspected that silently enabling a "remote management" interface with weak authentication could possibly make a device less secure?

      To whose benefit is this HNAC stuff, anyway? It seems to be largely invisible to the user and not aimed at them. Are ISPs supposed to be "managing" our routers now?

      a) No, ISPs aren't supposed to manage our routers, which is why HNAP is not supposed to be enabled on the outside facing interface. It isn't enabled on the outside facing interface on D-Link routers either, which is why the vulnerability write up mentions that this is an attack either from the LAN or via cross scripting to be executed via the home user's browser.

      b) The benefits of HNAP are very simple: management applications can correctly discover network devices on a home network if they implement HNAP, and can manage the devices via a common protocol. You can install an app on your machine that manages your NAS, your router, your streaming media player and whatever else you have on the network - and you don't have to learn their interfaces but can use one common app to do it all in case you're not too technically inclined.

      The protocol itself isn't really that bad of an idea - of course it should be implemented securely and ideally should also offer being disabled on a per device basis.

      • So, you're surfing from home and you go to a site with a banner and you get a drive by infection.

        Now that app can find and configure your firewall to open the port and map it back to you so that you can be used to spread more infections.

        Who the fuck thought it would be a good idea to allow other apps to open the firewall?

        • by 0123456 (636235)

          Who the fuck thought it would be a good idea to allow other apps to open the firewall?

          Sales and Marketing?

        • by jimicus (737525)

          Who the fuck thought it would be a good idea to allow other apps to open the firewall?

          UPnP allows something similar. Disabling such features wouldn't necessarily gain much because if malware does get in, it's just as easy to initiate the connection from inside the home firewall and keep it open - with the added benefit that the control server knows which nodes are online because there are connections open to them. Otherwise it'd have to keep a list of which IP addresses are compromised and contact each one whenever it wants to do something - which would be slow, and wouldn't deal very well

  • >"The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected."

    It's one thing to be a commenter/whistle-blower - it is entirely another to be an apologist in the same breath.

    Once you pull the trigger, you can't run,
  • by Fnord666 (889225) on Monday January 18, 2010 @11:19PM (#30815734) Journal

    It looks like this might be a broader issue than just DLink routers. Several comments on TFA seem to suggest that the HNAP remote management interface is a part of the SDK for the board used in these routers. This implies that any router based on this board might have this vulnerability. The DD-WRT hardware incompatibility list [dd-wrt.com] happens to have a list of routers that use UBICOM boards.

    Some other UBICOM based devices listed in TFA's comments include:

    • D-Link Wireless 108G Gaming Router
    • SMC Barricade SMCWGBR14-N
    • Netgear WNDR3700
    • ZyXEL's MIMO-N line
    • by tlhIngan (30335)

      It looks like this might be a broader issue than just DLink routers. Several comments on TFA seem to suggest that the HNAP remote management interface is a part of the SDK for the board used in these routers. This implies that any router based on this board might have this vulnerability. The DD-WRT hardware incompatibility list happens to have a list of routers that use UBICOM boards.

      Given Ubicom makes their own CPU, I would be surprised if it isn't in all Ubicom boards past a certain software revision. Ubi

  • by DigiShaman (671371) on Monday January 18, 2010 @11:29PM (#30815786) Homepage

    If anyone has a DGL-4500 router, and experiences constant lockups with it (forced to power cycle the unit); your not alone. Apparently, there is a bug with DNS forwarding that started with firmware rev 1.21. It's been since July 2009, and the best you can hope for is an update still in beta. We are talking about their newest high-end gaming router here with extra features that make a nice small office router too.

    As it stands, users of this model are furious. Some are threatening a class-action lawsuit against them. By all means, please read through the D-Link forum before you think about buying one of their products.
    http://forums.dlink.com/index.php?board=144.0 [dlink.com]

    • by Giometrix (932993)

      If anyone has a DGL-4500 router, and experiences constant lockups with it (forced to power cycle the unit); your not alone. Apparently, there is a bug with DNS forwarding that started with firmware rev 1.21. It's been since July 2009, and the best you can hope for is an update still in beta. We are talking about their newest high-end gaming router here with extra features that make a nice small office router too.

      As it stands, users of this model are furious. Some are threatening a class-action lawsuit against them. By all means, please read through the D-Link forum before you think about buying one of their products. http://forums.dlink.com/index.php?board=144.0 [dlink.com]

      Odd, I have this model... and with v1.15 (2008/10/29) the admin page says I have the latest version of the firmware. I wonder if they stopped pushing anything that came later.

      • If you RMA your unit, they ship you one back with the 1.15 rev (so I've read). Regardless, do not upgrade to 1.21. That would be a fatal mistake as you can't roll back.

        Silly me, I though all updates were supposed to be better than the last. Obviously not. Damn them.

    • It's odd that these days the top-of-the-line, most expensive flagship products are the most buggy. See:

      - MSI X58 Eclipse SLI (BIOS reflash bricking problem, some problems with the IOH (northbridge) thermal compound application from the factory, and it's not their first board to have this)

      - Nokia N900 (hardware flaws including the USB port coming clean off the board in normal use, a fuckton of bugs in original OS release).

      - There's a similar clusterfuck with a high-end Linksys router (can't remember the mode

  • by phantomcircuit (938963) on Monday January 18, 2010 @11:37PM (#30815846) Homepage

    This attack only works when a system on the LAN initiates it.

    It is possible to get a system on the lan to initiate it with a DNS rebinding attack and javascript on a malicious web page, but that is far from a trivial attack.

    I'm guessing that this is successfully used only in highly targeted attacks.

    • How about just busting into their wifi? There is an AP near the tram stop I use called "DLINK". I use it some times to check stuff while waiting for the tram to go. Now every time I go past an AP called DLINK (and there are a lot of them) ubuntu tries to connect. A lot of the time it gets on too.

      • by jamesh (87723)

        Now every time I go past an AP called DLINK (and there are a lot of them) ubuntu tries to connect.

        This is the big problem with unsecured access points. Linux is probably pretty safe but if you have an unsecured access point called 'DLINK' at home and you run Windows with the network set to 'home' or 'work' then it is going to connect to any unsecured access point called 'DLINK' (how would it tell the difference?) and you could be pwned pretty readily either by the owner of the access point or by someone else who just happens to be connected too.

        • if you have an unsecured access point called 'DLINK' at home and you run Windows with the network set to 'home' or 'work' then it is going to connect to any unsecured access point called 'DLINK' (how would it tell the difference?)

          The MAC address?

          • by jamesh (87723)

            The MAC address?

            Hmmm... that is visible but I don't think Windows pays any attention. Otherwise if you added another unsecured 'DLINK' SSID down the other end of your house it wouldn't 'just work'.

      • by Carewolf (581105)

        I can't say for all the affected routers but the D-Link 655 has a guest mode for unsecured wireless networks. This means this essid only provides internet and not access to the LAN. To get to the LAN you need to use the other secure essid (the router can handle multiple wireless networks with varying security).

  • I don't see any update for the DIR-655, last firmware is from 07/2009, v1.32NA.

    I hope they release soon, I know a few not so savvy users who have this model.
    • Do you have any suggestions for a good wi-fi router, without replacing the firmware with your favorite open source firmware?
    • Whatever you do, don't install v1.32NA. It's garbage! I wish I never did!

      I've been waiting for an update for months now, with a reboot every couple of days.
      When it works, it's fine, but it is not certainly not stable.

      • by Aladrin (926209)

        Turn off the internal DNS stuff (DNS Forwarding, I think it was called?). That fixed it for me. I was really upset about it until I found that fix.

  • I really don't :(

    Hopefully this whole thing gets corrected without too much harm :)

    • Don't feel bad. All I have to contribute is "A stable rev of dd-wrt for the DIR-655 that addresses speed issues with the existing version, and I won't care." (Besides, my wireless routers are behind another unaffected router.)
  • by Anonymous Coward

    This is nothing new. In fact, review the many easy hacks against several router manufacturers and you'll discover a lot of them (many exploiting uPnP) have FAILED to patch these issues for many YEARS. A good many of these routers are wired routers with the public being told to buy a wireless router instead (many of which remain unpatched to several malicious exploits!) when all they really want is wired. Many wise individuals do not want to go wi-fi nor should they be forced to do so.

    Search for some of the

    • So is a user better off using a Linux box as a router? How about Windows Server 2008 R2? Anyone know?

  • I've got an affected router (DI-524 Rev C1 v3.23 firmware). From the advisory:

    Older models, such as the DI-524, require authentication for all of the supported SOAP actions, but allow both the administrator and user accounts to execute any of these actions. This allows a malicious individual to use the often-ignored user account (default login of 'user' with a blank password) to perform administrative actions

    If I read that right I should be fine as long as I secure the user account as well as the admin

  • from routers, switches to cameras, all i have seen is half finished overpriced junk
  • Maybe that's why the last DIR-615 was acting strange, I replaced it with another DIR-615 but it has firmware version C1. Guess I'm safe, for now..

    • I have a DIR-615 (got it for free) running the latest firmware. It's mostly reliable but sometimes it kicks off all the computers on the wireless. Used to happen once every two days or so. It happens less frequently since I disabled "Short GI."

  • I wouldn't buy a BRICK from DLink anymore. I have yet to see anything made by them that wasn't the worst I'd ever seen of whatever it was. NICs, routers, switches, whatever, they were all crap, with crap drivers, crap firmware, crap everything. They must have the schmoozingest marketing department ever to still be in business.

"A great many people think they are thinking when they are merely rearranging their prejudices." -- William James

Working...