D-Link Patches Critical Vulnerability In Older Routers 54
An anonymous reader writes "D-Link has released firmware patches for a number of its older routers sporting a critical authentication security bypass vulnerability discovered in October. The flaw was discovered and its exploitability proved with a PoC by Tactical Network Solutions' security researcher Craig Heffner. D-Link confirmed the existence of the problem a few weeks later."
Well that's good. (Score:5, Insightful)
Re:Well that's good. (Score:5, Insightful)
The NSA wants to have access but keep others out. Known vulnerabilities let the "wrong" spies in. Why do you think *cough* "DLink" *cough* released this patch, anyway?
Re: (Score:2)
a manufacturer actually doing whatever they can to mitigate the bad publicity that goes along with the revelation of a critical security flaw
FTFY.
Re: (Score:1)
Yay! D-Link fixed a router firmware! Remember this rare occasion. If past experience serves as a guide, best let the pawns upgrade first...
Re: (Score:2)
Sorry, I don't buy this for more than 10 milliseconds. D-Link customer in Mumbai has an attitude that the customer is a dummy, and when he calls in to get some help with a real problem, he either gets the brushoff, or they ask for the seriel number and suddenly discover the device I bought new from Wally's (I'm out in the puckerbrush, Wally's is as hi-tech as can be driven to locally) a week ago was sold, then returned as defective over a year ago by another dealer , and has been marked as having been dest
Re: (Score:2)
According to Wikipedia, DD-WRT haven't put out a stable release since 27 July 2008!
Re: (Score:2)
Wikipedia is editable by anyone. And no one has come through dd-wrt here that I didn't give them the password to do so. No one. I used to watch the logs while the NK and CN folks hammered on it for hours at a time, but that got boring although I did occasionally cost someone their net account if they were being a big enough pest to DDOS me. Those sorts of attacks have actually decreased, I think they've some sort of a fingerprinting thing now that tells them if its a vulnerable target, so they don't wast
Routers impacted (Score:5, Informative)
Re: (Score:1)
And what percentage of those do you think will every actually get the update?
Now the question is.... (Score:5, Insightful)
Re: (Score:1)
Remote Management (Score:1)
I mean, who enables remote management of their router?
I get the fact that sometimes you gotta open stuff up remotely; but in that case, you'd hop onto your jumpbox and then launch a browser to log into your router.
Re: (Score:2)
Back in the day, a lot of consumer routers and access points* came out of the box with remote management enabled. It was something that only we geeks knew how to turn off. More importantly, knew why to turn off, and if left on, we had good reason for so doing. With other than the default password. Which leaves the other 99.42% of buyers with it still wide open.
I remember at least one Linksys and one D-Link out of the half-dozen or so I went through in the late-90's through mid-2000's that defaulted to remot
What percentage will be upgraded? (Score:2)
Re: (Score:1)
The average user uses the router provided by their ISP; the average ISP provides a wireless connection as well as a wire to the customer. Most of them don't ever buy another router.
Of those who do, a substantial percentage are the type to know what a firmware update is, and why you would want one.
Of those who aren't, I suspect (but have no proof) that a substantial percentage are the type to replace their router periodically anyway, to keep up with their new devices. They go to the store and say that they'r
Re: (Score:2)
What am I missing here? Don't know of any ISP that supplies routers. And even replacing an older router with a faster one won't do a thing for speed. (unless it's bad) Most will handle 10 times the speed that the modem will.
Re: (Score:1)
What am I missing here? Don't know of any ISP that supplies routers.
What you're missing is knowledge of the topic being discussed. Virtually every broadband internet connection is implemented in this fashion. Whether you get the crappy little DSL modem from ATT or the Xfinity modem from Comcast, you're getting a really crap router with a really crap modem built in; in the former case it's a DSL modem, and in the latter a DOCSIS cable modem. Usually it's no more than 802.11g, but that's adequate for most purposes for users with few wireless devices. The box is installed near
Re: (Score:1, Flamebait)
There is no such thing as a stupid question. But there are certainly stupid responses. Try and figure out which yours is.
Re: (Score:1)
There is no such thing as a stupid question. But there are certainly stupid responses. Try and figure out which yours is.
Instead, I'm trying to figure out if you're actually a different asshole, or another account of the same asshole, trying to look like a different asshole. But your other comment is utterly devoid of value as it does not, in fact, contain any information on what percentage of customers are provided with routers with wireless modems in them. Further, on a completely snarky tip, even customers who do not receive a wireless router are still going to receive a router in the majority of cases. It won't be a wirel
Re: (Score:1)
You are a very rude and vulgar person. Shame on you.
You are a coward, not only afraid to log in but also of free expression of the amygdala. Shame on you, and your fear.
Re: (Score:1)
I am a different asshole. That is why I answered the question of the person who you chose to mock in an effort to feel significant.
Feel free to taunt all you want. My constitution is too great for somethig so insignificant to alter.
Re: (Score:1)
In fact "virtually every" can be considered "virtually incorrect". Seeing you discuss it as a "gross exhaggeration" and not blowing it off as a total troll made me realize that maybe some people have a perspective that only consumer devices connect to the Internet. And for those people I would just like to point out that the majority of the infrastructure that consumer devices are browsing is connected to the Internet over a physical medium (with a great number still on a base to broad setup).
However there
Re: (Score:1)
Recently many major ISPs have started to provide them as part of the contract.
I can vouch that Verizon and Comcast both provide wireless routers in at least some of their markets.
But to your point and the dismay of many who seem to know it all, there are still quite a few companies (and one of the above) I can also say the opposite for.
Not all markets are the same and I know in some Comcast markets they do not provide a wireless router without an additional charge.
I know ATT and Brighthouse do not offer a w
Re: (Score:1)
Re: (Score:1)
If you are referring to ISP meaning the corporation, I see the same. But if you investigate individual markets you will likely find even many of the large corporations have coverage gaps for leasing certain equipment. And for some reason wifi routers seem to be one of those pieces of equipment.
Thanks for the intelligent response though. I definitely agree (assuming you are implying this) that in today's day of age most ISPs should take advantage of that easy money. After all, 5 bucks a month on a $40-60 ite
Re: (Score:2)
Recently many major ISPs have started to provide them as part of the contract. I can vouch that Verizon and Comcast both provide wireless routers in at least some of their markets.
Comcast would happily rent me one of their routers, and I'm beginning to see their wireless routers litter the RF landscape near my house.
Charter Cable would also enable the wireless features on the router I have through them. They apparently stock and install one cable modem/wire+wireless router and then enable what you pay for.
Personally, I bought the cable modem for my Comcast connection, and run a D-Link wire-only router behind it for routing. And then whatever wireless router I feel like behind that
Re: (Score:2)
What am I missing here? Don't know of any ISP that supplies routers.
Maybe this is a regional thing, round here pretty much every ISP either gives you a router or tries to sell you one when you sign up for service. Some even insist on you using it.
And even replacing an older router with a faster one won't do a thing for speed. (unless it's bad) Most will handle 10 times the speed that the modem will.
It depends, if you are on ADSL or a slow cable package then it's not going to make much difference.
As you move up to high end cable or FTTC+VDSL services then older routers can certainly become a bottleneck and if you move up to FTTH services then you will allmost certainly need a new router to avoid bottlenecking the connection.
Level of difference made : next to none. (Score:5, Insightful)
Re: (Score:3, Insightful)
That is not the point. This release is about patching there corporate image, not the firmware.
Re: (Score:2)
That is not the point. This release is about patching there corporate image, not the firmware.
Well, then they are doing a good job because in my eyes a company that properly supports hardware, does have a better image.
Re: (Score:2)
"How many people will actually apply this firmware update? 90% of people plug their router in, hook their equipment up to it and leave it that way until it breaks, then they replace it."
This has broader applicability as well. No matter how much software people may wish otherwise, people treat their hardware like a black box and it makes no sense to them for it to be changing after the fact.
So you have massive vulnerabilities in just about anything ever shipped, because of the way software is developed. (The
Re: (Score:2)
Put it all together and security is usually a bad joke.
Always act and behave as if there is no security for any device with a network connection, everything else is just some form of wishful thinking.
Re: (Score:2)
Can't say, but I can state positively that all of my customers who are currently on a d-link will be upgraded. It's in my best interest, as I'd have to repair the damage if they get compromised.
Another bug... (Score:3, Informative)
Now they've to patch this... http://www.h725.co.vu/2013/11/d-link-whats-wrong-with-you.html
Re: (Score:3)
What's wrong with D-Link... well. I worked for D-Link support a long time ago, but it looks like nothing has changed. The people in Taiwan are doing their thing, and there's a lot of layers between them and the end user. I might still be bound by some kind of contract blaha, but one example: they refused to release the gpl'ed firmware sources to customers until I first
Re: (Score:2)
Late in 2009 I had the opportunity to setup a brand new D-Link DAP 1522 access point and I discovered a telnet interface with hardcoded credentials in the firmware. I have never disclosed the vulnerability to the vendor or publicly. Four years later the issue is still there on most D-Link SOHO network devices.
(emphasis mine)
I don't doubt the existence of this vulnerability, just the motives and timing behind disclosing publicly on this blog.