Forgot your password?
typodupeerror
Bug Security IT

D-Link Warns of Vulnerable Routers 133

Posted by kdawson
from the in-the-front-door dept.
wiedzmin sends in news of a vulnerability in some D-Link home routers. The company has made new firmware available for download. "D-Link announced today that the problem, discovered by security researchers SourceSec, affects three of its wireless routers: DIR-855 (hardware version A2), DIR-655 (versions A1 to A4), and DIR-635 (version B). The problem lies in D-Link's implementation of Cisco's Home Network Administration Protocol, which allows remote router configuration. The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected." SourceSec apparently made their research available, including an exploitation tool, without ever contacting D-Link.
This discussion has been archived. No new comments can be posted.

D-Link Warns of Vulnerable Routers

Comments Filter:
  • Wow. (Score:3, Interesting)

    by fuzzyfuzzyfungus (1223518) on Monday January 18, 2010 @11:05PM (#30815646) Journal
    Who could possibly have suspected that silently enabling a "remote management" interface with weak authentication could possibly make a device less secure?

    To whose benefit is this HNAC stuff, anyway? It seems to be largely invisible to the user and not aimed at them. Are ISPs supposed to be "managing" our routers now?
  • by digitalunity (19107) <digitalunity@yahoo . c om> on Monday January 18, 2010 @11:22PM (#30815744) Homepage

    Indeed, this is becoming the reality. Software and hardware vendors have become complacent with the fact that researchers will give them ample time to ignore a problem.

    The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.

  • by davester666 (731373) on Monday January 18, 2010 @11:28PM (#30815784) Journal

    TFA mentions that DLink has published new firmware for the routers already. But I've got a DIR-655/A4, and their support site still only lists firmware from last September (v1.32NA) and the firmware check in the router says it's the latest. Where are these updated firmwares available?

  • by DigiShaman (671371) on Monday January 18, 2010 @11:29PM (#30815786) Homepage

    If anyone has a DGL-4500 router, and experiences constant lockups with it (forced to power cycle the unit); your not alone. Apparently, there is a bug with DNS forwarding that started with firmware rev 1.21. It's been since July 2009, and the best you can hope for is an update still in beta. We are talking about their newest high-end gaming router here with extra features that make a nice small office router too.

    As it stands, users of this model are furious. Some are threatening a class-action lawsuit against them. By all means, please read through the D-Link forum before you think about buying one of their products.
    http://forums.dlink.com/index.php?board=144.0 [dlink.com]

  • by DigiShaman (671371) on Tuesday January 19, 2010 @02:19AM (#30816516) Homepage

    I pulled a reverse DNS lookup on it. It's static, and points back to servage.net in Germany. But wait, there's more...

    Look at all of these registered Domains and where they point to. http://www.robtex.com/ip/77.232.92.199.html [robtex.com]

    Clearly the AC wanted readers on Slashdot to become useful idiots in a DOS attack. Not me.

  • by wvmarle (1070040) on Tuesday January 19, 2010 @02:26AM (#30816544)

    If that is true, then just publishing it is the only way to go. And that would indeed show stupid arrogance on the side of D-Link (in this case), and will come back to haunt them.

    However I still think it would be nicer to first notify D-Link, followed by full disclosure after a reasonable time (which I think is no more than 30 days). That should allow D-Link to come up with a fix in time. If D-Link doesn't then it's time to put them to shame.

  • by Anonymous Coward on Tuesday January 19, 2010 @02:33AM (#30816580)

    Have you ever tried to contact D-Link? Remember, they have DDOS'd NTP servers, and they continue to publish BUGGY dynamic DNS clients even when given bug reports.

    D-Link outsources their routers to 3rd parties. The developers can not follow bug reports unless, sadly, they are written in Mandarin or Simple Chinese. And unless the bug report is blindingly and stupidly obvious (or on Slashdot), there's no one at D-Link US headquarters who cares enough to start a billable conversation with the contract developers. Don't expect D-Link QA in India to catch it - D-Link USA did not put this in the test plan! And the router tech support (all outsourced to India) doesn't gain anything by presenting issues back to Corporate.

    Yes, I've worked with D-Link in one of the above scenarios. The best way to contact them is via a non-company contact, such as one of their major shareholders. I'm not fucking kidding either.
    I'm posting this anonymously because my employer is one of the above mentioned groups, and for years we have been TRYING to get D-Link to fix bugs in their software which affect us.

  • by BitZtream (692029) on Tuesday January 19, 2010 @02:39AM (#30816612)

    If by work you mean makes it easy for people to get exploited for no good reason other than 'to make a point (i.e. get some publicity)' then sure it works, as far as protecting people, no it doesn't.

    Instead of the potential that a few people may have found the exploit and may be exploiting it, you instead have lots of people most certainly do know about it, including the ones who are most certainly going to take advantage of it. Whats better is that the likely hood of these devices EVER being updated by the majority of their users is as close to less than 0 as you can possibly get. No nag screens or auto-updates for this one, no one outside the geek community is going to even know about it.

    It isnt' counter intuitive, its being an attention grabbing douche bag using the name of security as an excuse to gather publicity.

    Try to cover it in roses all day long and in the end this behavior will STILL BE BULLSHIT. Get a clue.

  • by Anonymous Coward on Tuesday January 19, 2010 @02:49AM (#30816660)

    Indeed, this is becoming the reality. Software and hardware vendors have become complacent with the fact that researchers will give them ample time to ignore a problem.

    The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.

    ... and how do you explain the release of the handy-dandy exploit tool along with the "disclosure"?

    I smell a rat here.

    1. No notification at all, not even a couple days.
    2. They release not only the problem, but also a TOOL so it can be immediately exploited. (incite FUD)
    3. Report that ALL devices since 2006 have this issue. In reality, only a very small number have the issue (people who specifically updated on their own). (FUD ^2)
    4. Have a fixed firmware already setup to be installed, since D-Link won't be able to get one out for at least a few days.

    Which seems to lead up to a pretty nifty way for someone to get a LOT of malicious firmware installed in a lot of D-Link routers that weren't even vulnerable in the first place. Now I haven't grabbed it yet to see if it's up to any tricks or not. And even if it's "legit", that just means someone at this company either has a hard-on to trash D-Link, or figured a way to profit from a drop in their stock prices.

  • by Anonymous Coward on Tuesday January 19, 2010 @08:25AM (#30818088)

    It probably has more to do with the fact that SourceSec isn't a security firm. It's an exploit blog. The whole purpose is the launch everything as 0-Day so script kiddies can get out there and use it, making companies look like fools.

    Make no mistake, these are the bad guys, they just dress up what they to do have an air of professionalism about it.

He keeps differentiating, flying off on a tangent.

Working...