D-Link Warns of Vulnerable Routers 133
wiedzmin sends in news of a vulnerability in some D-Link home routers. The company has made new firmware available for download. "D-Link announced today that the problem, discovered by security researchers SourceSec, affects three of its wireless routers: DIR-855 (hardware version A2), DIR-655 (versions A1 to A4), and DIR-635 (version B). The problem lies in D-Link's implementation of Cisco's Home Network Administration Protocol, which allows remote router configuration. The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected." SourceSec apparently made their research available, including an exploitation tool, without ever contacting D-Link.
Wouldn't the responsible thing be... (Score:4, Insightful)
Re:Wouldn't the responsible thing be... (Score:4, Insightful)
hahahaha
dlink wouldve done jack shit like every other company without being publicly humiliated.
Re:Wouldn't the responsible thing be... (Score:4, Insightful)
Re: (Score:2)
You are not very familar with the security scene are you? This is just how things operate, hardly anything new.
Re: (Score:1)
Re: (Score:1)
Reputation, my friend, reputation.
Re: (Score:2, Interesting)
It probably has more to do with the fact that SourceSec isn't a security firm. It's an exploit blog. The whole purpose is the launch everything as 0-Day so script kiddies can get out there and use it, making companies look like fools.
Make no mistake, these are the bad guys, they just dress up what they to do have an air of professionalism about it.
Re:Wouldn't the responsible thing be... (Score:5, Interesting)
Indeed, this is becoming the reality. Software and hardware vendors have become complacent with the fact that researchers will give them ample time to ignore a problem.
The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.
Re:Wouldn't the responsible thing be... (Score:5, Insightful)
The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.
While that seems reasonable if the vendor either doesn't care or is dragging along on a fix, in this case they didn't even tell the vendor in the first place. Perhaps it's unlikely that DLINK would have responded to the security company but it seems they deserved a chance to do the right thing. It's not that disclosure is wrong, it's just that it's wrong at that stage of the game -- they would have lost nothing by trying to cooperate with D-Link and only disclosing if those lesser steps failed (or took too long). Plus, think about how much worse it sounds:
"Here's a huge vulnerability that we discovered but didn't tell anyone until now. Surprise!"
versus
"Here's a huge vulnerability that we discovered. We went to D-Link 3-4 weeks ago and they wouldn't give us the time of day. Finally, we go through to someone that assigned it a low-priority and has been promising a fix but not delivering. At this point, we are tired of hearing their excuses and we don't think they are interested in fixing it so we are disclosing it."
TL;DR version: Public disclosure is the last resort, not the first. Carrot first, stick second.
Re: (Score:3, Informative)
20 years ago, I would have agreed with you. But I survived the Morris Worm attack back then because I'm paranoid, and repeated attacks since then due to vulnerabilities that vendors refused to address. And the secrecy of such graceful submissions just leaves the knowledge in the hands of the crackers, who share it on their warez sites and IRC channels, and not in the hands of reasonable admins who need to assess the risks of patching and the risks of particular products. I've in fact seen this occurr with C
Re: (Score:2)
The kind of gracious pre-notification you are suggesting, in this day and age, needs to be earned. And D-Link hasn't earned it, with their history of GPL violations and delay on publication of security vulnerabilities.
And their customers, what have they done to earn the inevitable increase in attacks, other than to not know better than to buy D-Link products?
Re: (Score:2)
And their customers deserve to be vulnerable for weeks or months longer if D-Link lags in producing an update or patch? Or not to be notified that they can simply turn off remote administration in the short term? No, leaving them vulnerable this way is a frequent problem with many software packages, and we as customers don't deserve to not be notified of these issues.
Re: (Score:1)
Re: (Score:2)
This isn't about carrot and stick. The people that discovered this get nothing from it. They aren't the owners of the company, they don't work for the company, and they probably don't even use the products in question.
In fact, the only thing these people -do- get is recognition that they found some serious flaws in other peoples' stuff. And they get that whether they work with the companies or not. (Sadly, they get -far- more attention if they don't work with the companies, so that gives them a push tow
Re: (Score:2)
It's not that disclosure is wrong, it's just that it's wrong at that stage of the game -- they would have lost nothing by trying to cooperate with D-Link and only disclosing if those lesser steps failed (or took too long).
They would have lost time. Any time you wait for the vendor to address the issue (at their leisure) is time the black hats are exploiting the vulnerability freely. Announce the vulnerability immediately so those affected can take measures to limit their exposure. That is responsible dis
Re: (Score:3, Interesting)
If by work you mean makes it easy for people to get exploited for no good reason other than 'to make a point (i.e. get some publicity)' then sure it works, as far as protecting people, no it doesn't.
Instead of the potential that a few people may have found the exploit and may be exploiting it, you instead have lots of people most certainly do know about it, including the ones who are most certainly going to take advantage of it. Whats better is that the likely hood of these devices EVER being updated by th
Re: (Score:1)
Re: (Score:2, Interesting)
Indeed, this is becoming the reality. Software and hardware vendors have become complacent with the fact that researchers will give them ample time to ignore a problem.
The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.
... and how do you explain the release of the handy-dandy exploit tool along with the "disclosure"?
I smell a rat here.
1. No notification at all, not even a couple days.
2. They release not only the problem, but also a TOOL so it can be immediately exploited. (incite FUD)
3. Report that ALL devices since 2006 have this issue. In reality, only a very small number have the issue (people who specifically updated on their own). (FUD ^2)
4. Have a fixed firmware already setup to be installed, since D-Link won't be a
Re: (Score:2)
Agreed. Also some of the above posts are nothing but weak excuses for creating a problem. On top of it it's not the manufacturer who's at particular risk, it's all the users. One does the right thing regardless of the other party. Which should be a natural point of integrity for any person.
Re: (Score:3, Insightful)
dlink wouldve done jack shit like every other company without being publicly humiliated.
Yes, but it would have been even more humiliating to say "We provided them with an exploit 4 weeks ago and they still haven't done shit, so now we are going public". That has the added advantage of giving them the chance to do the right thing, even if they don't take it and makes them look like douches instead of the security company.
Re: (Score:2)
It also gives them the "chance" to slap you with a court order to shut you up. Take a look at the history of the "8lgm", or "eight-legged groove machine". Their old site is at http://www.8lgm.org/ [8lgm.org]: it's a fascinating bit of security and legal history.
Re: (Score:2)
No, that just gives them time to draft the restraining order.
Re: (Score:2)
I remember once a guy found a vulnerability in some electro-mechanical door locks (can't remember exactly what it was but I remember it was super easy to pull off and could cause the locks to get stuck in an unlocked state without giving any warning). He said he would only release the info to the manufacturer if they promised to replace all the locks in question free of cost to the owners. They didn't, so he publicized the vulnerability and the company was rightly shamed.
I thought that was a good way of goi
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Actually DLink seems pretty good at keeping their products patched. Not as quickly as Multitech mind you (who've created custom test firmwares for me by E-mail), but still quite responsive.
Re: (Score:1)
Re: (Score:3, Insightful)
All that would have earned them is a lawsuit. Plus Dlink would never have fixed it.
Re: (Score:3, Interesting)
If that is true, then just publishing it is the only way to go. And that would indeed show stupid arrogance on the side of D-Link (in this case), and will come back to haunt them.
However I still think it would be nicer to first notify D-Link, followed by full disclosure after a reasonable time (which I think is no more than 30 days). That should allow D-Link to come up with a fix in time. If D-Link doesn't then it's time to put them to shame.
Re: (Score:2)
Except that the lawsuit would have of course come with a gag order, thus foiling your brilliant plan.
Re: (Score:2)
Then start publishing the fact that you found a 0-day vulnerability, that supplier of said software/device is unwilling to fix it, and instead sued you and put you under a gag order that prevents full disclosure of the actual vulnerability - and suggest that it is just a matter of time before the black-hats find out as well, and that everyone is at risk. That's pretty much what I recall Google has done before ("we are forced to remove several links from your search results, click here to see which links tha
Re: (Score:2, Insightful)
http://www.dlink.co.za/support_pr.php (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2, Insightful)
So, is it irony that their site links to "Ethical Hacker Network"?
Re:Wouldn't the responsible thing be... (Score:4, Interesting)
TFA mentions that DLink has published new firmware for the routers already. But I've got a DIR-655/A4, and their support site still only lists firmware from last September (v1.32NA) and the firmware check in the router says it's the latest. Where are these updated firmwares available?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You'd better tell all the ISPs that. I know of at least one that thinks they can safely reconfigure a router remotely.
Re: (Score:2)
And I know a stack of corporate and educational sites, and household setups, that allow this. Some consider their internal machines secure (which they are not), others consider the "open environment" more important, others consider the ease of remote access for their single admin or their often telecommuting key technical admin more important.
Re: (Score:2)
No, it was 77.232.92.199!
Re: (Score:3, Interesting)
Re: (Score:1)
More likely: the AC gave us the IP of goatse.cx, which is actually hosted on ervage.net.
Re: (Score:2)
You bastard, you nearly got me. Luckily my office firewall caught it.
Don't make me upgrade to 1.3x! (Score:1)
That's the latest I see too.
My concern with the DIR-655 is that I'm still at v1.21 [HW rev A3]. I've read nothing but nightmare stories of people with perfectly stable 1.2x routers who then upgraded to 1.3X firmwares and had tons of trouble and instability. At v1.21 my router is absolutely rock solid. This is the best, most stable wireless router I've ever had. If the 1.21 firmware is affected, and I'm forced to upgrade to 1.3X and it causes my router to become unstable, I'm going to be PISSED!
I realize I
Re: (Score:2)
I upgraded my DIR655 to the latest and started having a lot of trouble. Then I turned off the internal DNS server and POOF, everything was great again. if you hvae trouble after the upgrade that is obviously coming, put that on your list of things to try when you have weird issues.
Re: (Score:2)
I know the bug you're talking about, that seems to be more common with firmware versions later than 1.21. Connection to the outside slows to a crawl, then stops altogether. You can still talk to other machines on the LAN, but you can't get to the router's management page, so the only thing you can do is reset the device.
I've had this problem even with version 1.21 of the firmware, but the frequency has gone down dramatically over the past few months. I've only had to reset it once since the new year, so I a
Re: (Score:1)
Gimme a minute to RTFA, and I'll check your router for you.
Re: (Score:2)
I see a beta version 1.31EUb02 listed from the 18/1 with the specific changelog of fixing this vulnerability.
Re: (Score:2, Interesting)
Have you ever tried to contact D-Link? Remember, they have DDOS'd NTP servers, and they continue to publish BUGGY dynamic DNS clients even when given bug reports.
D-Link outsources their routers to 3rd parties. The developers can not follow bug reports unless, sadly, they are written in Mandarin or Simple Chinese. And unless the bug report is blindingly and stupidly obvious (or on Slashdot), there's no one at D-Link US headquarters who cares enough to start a billable conversation with the contract develope
Re: (Score:2)
No. DLink's response to everything consumer-grade is is thus.
Years of experience with trying to get them to actually SUPPORT the crap they ship has taught me this.
Their "pro grade" support is SLIGHTLY better. But it's the difference between getting a root canal with no pain killers and getting a root canal with no pain killers while being repeatedly kneed in the nuts (which is ESPECIA
Bad vendors (Score:1, Insightful)
I don't blame them. Finding security contacts for consumer hardware companies is next to impossible.
Whether it is D-Link, Belkin, Netgear - I don't believe any of them have a public security page similar to any major software vendors.
Re: (Score:3, Informative)
For companies like these, all of the software and hardware is outsourced, right down to the board layouts and case design. I worked with Netgear a while back, and no one who spoke English as a native language had the foggiest clue of what the software did, or even where the source was.
The same was true of Linksys before the Cisco acquisition, though now all of the development is being dragged back in-house, as is Cisco's preference.
These sorts of companies exist purely as marketing and sales, and don't know
Wow. (Score:3, Interesting)
To whose benefit is this HNAC stuff, anyway? It seems to be largely invisible to the user and not aimed at them. Are ISPs supposed to be "managing" our routers now?
Re:Wow. (Score:5, Informative)
Who could possibly have suspected that silently enabling a "remote management" interface with weak authentication could possibly make a device less secure?
To whose benefit is this HNAC stuff, anyway? It seems to be largely invisible to the user and not aimed at them. Are ISPs supposed to be "managing" our routers now?
a) No, ISPs aren't supposed to manage our routers, which is why HNAP is not supposed to be enabled on the outside facing interface. It isn't enabled on the outside facing interface on D-Link routers either, which is why the vulnerability write up mentions that this is an attack either from the LAN or via cross scripting to be executed via the home user's browser.
b) The benefits of HNAP are very simple: management applications can correctly discover network devices on a home network if they implement HNAP, and can manage the devices via a common protocol. You can install an app on your machine that manages your NAS, your router, your streaming media player and whatever else you have on the network - and you don't have to learn their interfaces but can use one common app to do it all in case you're not too technically inclined.
The protocol itself isn't really that bad of an idea - of course it should be implemented securely and ideally should also offer being disabled on a per device basis.
It's a terrible idea. (Score:2)
So, you're surfing from home and you go to a site with a banner and you get a drive by infection.
Now that app can find and configure your firewall to open the port and map it back to you so that you can be used to spread more infections.
Who the fuck thought it would be a good idea to allow other apps to open the firewall?
Re: (Score:2)
Who the fuck thought it would be a good idea to allow other apps to open the firewall?
Sales and Marketing?
Re: (Score:2)
Who the fuck thought it would be a good idea to allow other apps to open the firewall?
UPnP allows something similar. Disabling such features wouldn't necessarily gain much because if malware does get in, it's just as easy to initiate the connection from inside the home firewall and keep it open - with the added benefit that the control server knows which nodes are online because there are connections open to them. Otherwise it'd have to keep a list of which IP addresses are compromised and contact each one whenever it wants to do something - which would be slow, and wouldn't deal very well
Re: (Score:2)
What exactly is the problem with management apps reading from and writing to network device configuration as long as it's implemented securely?
That it won't be implemented securely in many cases.
Effectively you have an RPC interface which can be called by a web browser; that is an insanely bad idea, because any security flaw which exists can be remotely exploited by telling the web browser to access the relevant URL. I don't believe there's any similar way to remotely exploit flaws in an SNMP interface.
Sky is falling! ...I think, maybe. (Score:2)
It's one thing to be a commenter/whistle-blower - it is entirely another to be an apologist in the same breath.
Once you pull the trigger, you can't run,
UBICOM Based Routers? (Score:5, Informative)
It looks like this might be a broader issue than just DLink routers. Several comments on TFA seem to suggest that the HNAP remote management interface is a part of the SDK for the board used in these routers. This implies that any router based on this board might have this vulnerability. The DD-WRT hardware incompatibility list [dd-wrt.com] happens to have a list of routers that use UBICOM boards.
Some other UBICOM based devices listed in TFA's comments include:
Re: (Score:2)
Given Ubicom makes their own CPU, I would be surprised if it isn't in all Ubicom boards past a certain software revision. Ubi
Comment removed (Score:3, Interesting)
Re: (Score:2)
If anyone has a DGL-4500 router, and experiences constant lockups with it (forced to power cycle the unit); your not alone. Apparently, there is a bug with DNS forwarding that started with firmware rev 1.21. It's been since July 2009, and the best you can hope for is an update still in beta. We are talking about their newest high-end gaming router here with extra features that make a nice small office router too.
As it stands, users of this model are furious. Some are threatening a class-action lawsuit against them. By all means, please read through the D-Link forum before you think about buying one of their products. http://forums.dlink.com/index.php?board=144.0 [dlink.com]
Odd, I have this model... and with v1.15 (2008/10/29) the admin page says I have the latest version of the firmware. I wonder if they stopped pushing anything that came later.
Re: (Score:2)
Re: (Score:2)
It's odd that these days the top-of-the-line, most expensive flagship products are the most buggy. See:
- MSI X58 Eclipse SLI (BIOS reflash bricking problem, some problems with the IOH (northbridge) thermal compound application from the factory, and it's not their first board to have this)
- Nokia N900 (hardware flaws including the USB port coming clean off the board in normal use, a fuckton of bugs in original OS release).
- There's a similar clusterfuck with a high-end Linksys router (can't remember the mode
Re: (Score:2)
Yeah, I've found Airlink products to be pretty good too, for low-cost hardware. Though leaving a passwordless telnet root login open by default on their IP webcam wasn't the most secure configuration ever :).
Re: (Score:2)
As much as I do love m0n0 and PFS, it's not really the same market. These require x86 hardware, while DLink caters to the low-cost OTC MIPS-type stuff, much more appealing to the non-techie home and SOHO user, to whom I enthusiastically recommend Tomato-compatible hardware, such as the always-on-sale ASUS WL520-gu.
But yeah, I've never understood why DLink is as popular as it is. I've seen countless numbers of those things either fail right out of the box, or begin to fail, either outright or in subtle ways,
Re: (Score:2)
Attack is Significant but Will not be Pandemic (Score:4, Informative)
This attack only works when a system on the LAN initiates it.
It is possible to get a system on the lan to initiate it with a DNS rebinding attack and javascript on a malicious web page, but that is far from a trivial attack.
I'm guessing that this is successfully used only in highly targeted attacks.
Re: (Score:2)
How about just busting into their wifi? There is an AP near the tram stop I use called "DLINK". I use it some times to check stuff while waiting for the tram to go. Now every time I go past an AP called DLINK (and there are a lot of them) ubuntu tries to connect. A lot of the time it gets on too.
Re: (Score:2)
Now every time I go past an AP called DLINK (and there are a lot of them) ubuntu tries to connect.
This is the big problem with unsecured access points. Linux is probably pretty safe but if you have an unsecured access point called 'DLINK' at home and you run Windows with the network set to 'home' or 'work' then it is going to connect to any unsecured access point called 'DLINK' (how would it tell the difference?) and you could be pwned pretty readily either by the owner of the access point or by someone else who just happens to be connected too.
Re: (Score:2)
if you have an unsecured access point called 'DLINK' at home and you run Windows with the network set to 'home' or 'work' then it is going to connect to any unsecured access point called 'DLINK' (how would it tell the difference?)
The MAC address?
Re: (Score:2)
The MAC address?
Hmmm... that is visible but I don't think Windows pays any attention. Otherwise if you added another unsecured 'DLINK' SSID down the other end of your house it wouldn't 'just work'.
Re: (Score:2)
I can't say for all the affected routers but the D-Link 655 has a guest mode for unsecured wireless networks. This means this essid only provides internet and not access to the LAN. To get to the LAN you need to use the other secure essid (the router can handle multiple wireless networks with varying security).
Just checked D-Link's website (Score:2)
I hope they release soon, I know a few not so savvy users who have this model.
Re: (Score:2)
Re: (Score:1)
Whatever you do, don't install v1.32NA. It's garbage! I wish I never did!
I've been waiting for an update for months now, with a reboot every couple of days.
When it works, it's fine, but it is not certainly not stable.
Re: (Score:2)
Turn off the internal DNS stuff (DNS Forwarding, I think it was called?). That fixed it for me. I was really upset about it until I found that fix.
I have nothing to contribute to this conversation (Score:1, Offtopic)
I really don't :(
Hopefully this whole thing gets corrected without too much harm :)
Re: (Score:2)
Problem Is More Widespread Than Reported! (Score:1, Insightful)
This is nothing new. In fact, review the many easy hacks against several router manufacturers and you'll discover a lot of them (many exploiting uPnP) have FAILED to patch these issues for many YEARS. A good many of these routers are wired routers with the public being told to buy a wireless router instead (many of which remain unpatched to several malicious exploits!) when all they really want is wired. Many wise individuals do not want to go wi-fi nor should they be forced to do so.
Search for some of the
Re: (Score:2)
So is a user better off using a Linux box as a router? How about Windows Server 2008 R2? Anyone know?
Re: (Score:2)
Re: (Score:2)
but that's for wireless routers, NOT wired which the parent poster was mainly referring to
I don't see how that's a problem. Wireless routers work fine wired. Disable the wireless if you don't want it. Most of the compatible models are not expensive.
Also, inclusion is very limited, per Tomato's homepage
How many do you need? Some of these are more available than others. Some are less expensive than others, but in the end, once you get Tomato on them, they're all more or less equally functional.
Re: (Score:2)
Router companies would then have to charge $400 for a consumer grade router.
Producing a router that doesn't have a fancy web interface that allows any web site to reconfigure it with an embedded image URL is likely to be cheaper than producing one which does have a fancy web interface with vast security holes.
The problem is that the companies go out of their way to make routers 'user-friendly', and in the process make them cracker-friendly too.
DI-524 workaround? (Score:1)
If I read that right I should be fine as long as I secure the user account as well as the admin
Only fools buy D-Link trash anyway (Score:1)
DIR-615 (Score:2)
Maybe that's why the last DIR-615 was acting strange, I replaced it with another DIR-615 but it has firmware version C1. Guess I'm safe, for now..
Re: (Score:2)
I have a DIR-615 (got it for free) running the latest firmware. It's mostly reliable but sometimes it kicks off all the computers on the wireless. Used to happen once every two days or so. It happens less frequently since I disabled "Short GI."
Dlink-feh (Score:2)
I wouldn't buy a BRICK from DLink anymore. I have yet to see anything made by them that wasn't the worst I'd ever seen of whatever it was. NICs, routers, switches, whatever, they were all crap, with crap drivers, crap firmware, crap everything. They must have the schmoozingest marketing department ever to still be in business.
Re:fdsfds (Score:5, Funny)
Re: (Score:2)
lol my thoughts exactly. Slashdot is the anti-ugg crowd. If you wanna spam, at least spam geeky shit. I might click on that.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
I don't know how far this attack goes, but there was an attack on some models of home routers in Mexico a while back which used an embedded image URL to reprogram their DNS to forward connections to a bank site to a phishing site so that they could steal passwords. If you can reconfigure the router in arbitrary ways then you can pretty much take control of the Internet as far as the computers on the LAN side are concerned, at least if they use DHCP to get their network information.
This is one reason why I h
Re: Hardcode to ISP DNS server, (Score:2)