Forgot your password?
typodupeerror
Security

D-Link Patches Critical Vulnerability In Older Routers 54

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes "D-Link has released firmware patches for a number of its older routers sporting a critical authentication security bypass vulnerability discovered in October. The flaw was discovered and its exploitability proved with a PoC by Tactical Network Solutions' security researcher Craig Heffner. D-Link confirmed the existence of the problem a few weeks later."
This discussion has been archived. No new comments can be posted.

D-Link Patches Critical Vulnerability In Older Routers

Comments Filter:
  • Well that's good. (Score:5, Insightful)

    by johnnys (592333) on Monday December 02, 2013 @02:16PM (#45576167)
    Good guy D-Link!!!! It's nice to see a manufacturer actually helping out their customers instead of just making them buy a new router.
    • a manufacturer actually doing whatever they can to mitigate the bad publicity that goes along with the revelation of a critical security flaw

      FTFY.

    • by Anonymous Coward

      Yay! D-Link fixed a router firmware! Remember this rare occasion. If past experience serves as a guide, best let the pawns upgrade first...

    • Sorry, I don't buy this for more than 10 milliseconds. D-Link customer in Mumbai has an attitude that the customer is a dummy, and when he calls in to get some help with a real problem, he either gets the brushoff, or they ask for the seriel number and suddenly discover the device I bought new from Wally's (I'm out in the puckerbrush, Wally's is as hi-tech as can be driven to locally) a week ago was sold, then returned as defective over a year ago by another dealer , and has been marked as having been dest

      • According to Wikipedia, DD-WRT haven't put out a stable release since 27 July 2008!

        • Wikipedia is editable by anyone. And no one has come through dd-wrt here that I didn't give them the password to do so. No one. I used to watch the logs while the NK and CN folks hammered on it for hours at a time, but that got boring although I did occasionally cost someone their net account if they were being a big enough pest to DDOS me. Those sorts of attacks have actually decreased, I think they've some sort of a fingerprinting thing now that tells them if its a vulnerable target, so they don't wast

  • Routers impacted (Score:5, Informative)

    by sitkill (893183) on Monday December 02, 2013 @02:28PM (#45576261)
    Vulnerable devices include D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers.
    • by Anonymous Coward

      And what percentage of those do you think will every actually get the update?

  • by Dega704 (1454673) on Monday December 02, 2013 @02:39PM (#45576367)
    How many of these devices will actually get patched by their users?
    • by kmg90 (957346)
      I wonder what the statistics are across the board for all home routers and whether the owners are updating them when likely... My guess is not the majority
  • I mean, who enables remote management of their router?

    I get the fact that sometimes you gotta open stuff up remotely; but in that case, you'd hop onto your jumpbox and then launch a browser to log into your router.

    • by xenoc_1 (140817)

      Back in the day, a lot of consumer routers and access points* came out of the box with remote management enabled. It was something that only we geeks knew how to turn off. More importantly, knew why to turn off, and if left on, we had good reason for so doing. With other than the default password. Which leaves the other 99.42% of buyers with it still wide open.

      I remember at least one Linksys and one D-Link out of the half-dozen or so I went through in the late-90's through mid-2000's that defaulted to remot

  • It's good that the patch is available, but what percentage do you actually think will get fixed? Your average user isn't even going to know how to apply a firmware update much less be aware that they have a vulnerable router and need to update it.
    • by drinkypoo (153816)

      The average user uses the router provided by their ISP; the average ISP provides a wireless connection as well as a wire to the customer. Most of them don't ever buy another router.

      Of those who do, a substantial percentage are the type to know what a firmware update is, and why you would want one.

      Of those who aren't, I suspect (but have no proof) that a substantial percentage are the type to replace their router periodically anyway, to keep up with their new devices. They go to the store and say that they'r

      • by garyoa1 (2067072)

        What am I missing here? Don't know of any ISP that supplies routers. And even replacing an older router with a faster one won't do a thing for speed. (unless it's bad) Most will handle 10 times the speed that the modem will.

        • by drinkypoo (153816)

          What am I missing here? Don't know of any ISP that supplies routers.

          What you're missing is knowledge of the topic being discussed. Virtually every broadband internet connection is implemented in this fashion. Whether you get the crappy little DSL modem from ATT or the Xfinity modem from Comcast, you're getting a really crap router with a really crap modem built in; in the former case it's a DSL modem, and in the latter a DOCSIS cable modem. Usually it's no more than 802.11g, but that's adequate for most purposes for users with few wireless devices. The box is installed near

          • Re: (Score:1, Flamebait)

            by Endloser (1170279)

            There is no such thing as a stupid question. But there are certainly stupid responses. Try and figure out which yours is.

            • by drinkypoo (153816)

              There is no such thing as a stupid question. But there are certainly stupid responses. Try and figure out which yours is.

              Instead, I'm trying to figure out if you're actually a different asshole, or another account of the same asshole, trying to look like a different asshole. But your other comment is utterly devoid of value as it does not, in fact, contain any information on what percentage of customers are provided with routers with wireless modems in them. Further, on a completely snarky tip, even customers who do not receive a wireless router are still going to receive a router in the majority of cases. It won't be a wirel

              • by Endloser (1170279)

                I am a different asshole. That is why I answered the question of the person who you chose to mock in an effort to feel significant.
                Feel free to taunt all you want. My constitution is too great for somethig so insignificant to alter.

        • by Endloser (1170279)

          Recently many major ISPs have started to provide them as part of the contract.
          I can vouch that Verizon and Comcast both provide wireless routers in at least some of their markets.

          But to your point and the dismay of many who seem to know it all, there are still quite a few companies (and one of the above) I can also say the opposite for.
          Not all markets are the same and I know in some Comcast markets they do not provide a wireless router without an additional charge.
          I know ATT and Brighthouse do not offer a w

          • I know of no ISP in the last 5 years that doesn't offer routers. Easy money every month. To not offer them is leaving a lot of cash on the table - these companies know better at this point. I even worked for a local (rural) telecom about 4 years ago, and we offered them then.
            • by Endloser (1170279)

              If you are referring to ISP meaning the corporation, I see the same. But if you investigate individual markets you will likely find even many of the large corporations have coverage gaps for leasing certain equipment. And for some reason wifi routers seem to be one of those pieces of equipment.

              Thanks for the intelligent response though. I definitely agree (assuming you are implying this) that in today's day of age most ISPs should take advantage of that easy money. After all, 5 bucks a month on a $40-60 ite

          • by Obfuscant (592200)

            Recently many major ISPs have started to provide them as part of the contract. I can vouch that Verizon and Comcast both provide wireless routers in at least some of their markets.

            Comcast would happily rent me one of their routers, and I'm beginning to see their wireless routers litter the RF landscape near my house.

            Charter Cable would also enable the wireless features on the router I have through them. They apparently stock and install one cable modem/wire+wireless router and then enable what you pay for.

            Personally, I bought the cable modem for my Comcast connection, and run a D-Link wire-only router behind it for routing. And then whatever wireless router I feel like behind that

        • What am I missing here? Don't know of any ISP that supplies routers.

          Maybe this is a regional thing, round here pretty much every ISP either gives you a router or tries to sell you one when you sign up for service. Some even insist on you using it.

          And even replacing an older router with a faster one won't do a thing for speed. (unless it's bad) Most will handle 10 times the speed that the modem will.

          It depends, if you are on ADSL or a slow cable package then it's not going to make much difference.

          As you move up to high end cable or FTTC+VDSL services then older routers can certainly become a bottleneck and if you move up to FTTH services then you will allmost certainly need a new router to avoid bottlenecking the connection.

  • by richy freeway (623503) on Monday December 02, 2013 @02:40PM (#45576395)
    How many people will actually apply this firmware update? 90% of people plug their router in, hook their equipment up to it and leave it that way until it breaks, then they replace it.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      That is not the point. This release is about patching there corporate image, not the firmware.

      • That is not the point. This release is about patching there corporate image, not the firmware.

        Well, then they are doing a good job because in my eyes a company that properly supports hardware, does have a better image.

    • by Arker (91948)

      "How many people will actually apply this firmware update? 90% of people plug their router in, hook their equipment up to it and leave it that way until it breaks, then they replace it."

      This has broader applicability as well. No matter how much software people may wish otherwise, people treat their hardware like a black box and it makes no sense to them for it to be changing after the fact.

      So you have massive vulnerabilities in just about anything ever shipped, because of the way software is developed. (The

      • by H0p313ss (811249)

        Put it all together and security is usually a bad joke.

        Always act and behave as if there is no security for any device with a network connection, everything else is just some form of wishful thinking.

    • by roc97007 (608802)

      Can't say, but I can state positively that all of my customers who are currently on a d-link will be upgraded. It's in my best interest, as I'd have to repair the damage if they get compromised.

  • Another bug... (Score:3, Informative)

    by Anonymous Coward on Monday December 02, 2013 @02:51PM (#45576491)

    Now they've to patch this... http://www.h725.co.vu/2013/11/d-link-whats-wrong-with-you.html

    • by Zedrick (764028)
      Spread it on facebook, twitter etc and they'll do something about it. They don't lift a finger until the marketing department takes notice.

      What's wrong with D-Link... well. I worked for D-Link support a long time ago, but it looks like nothing has changed. The people in Taiwan are doing their thing, and there's a lot of layers between them and the end user. I might still be bound by some kind of contract blaha, but one example: they refused to release the gpl'ed firmware sources to customers until I first
    • by enoz (1181117)

      Late in 2009 I had the opportunity to setup a brand new D-Link DAP 1522 access point and I discovered a telnet interface with hardcoded credentials in the firmware. I have never disclosed the vulnerability to the vendor or publicly. Four years later the issue is still there on most D-Link SOHO network devices.

      (emphasis mine)

      I don't doubt the existence of this vulnerability, just the motives and timing behind disclosing publicly on this blog.

This is a good time to punt work.

Working...