Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

D-Link Tells Users To Trash Old VPN Routers Over Bug Too Dangerous To Identify (theregister.com) 144

Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability. From a report: Most of the details about the bug are being kept under wraps given the potential for wide exploitation. The vendor hasn't assigned it a CVE identifier or really said much about it at all other than that it's a buffer overflow bug that leads to unauthenticated RCE.

Unauthenticated RCE issues are essentially as bad as vulnerabilities get, and D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk. Previous bugs in similar products from other vendors have carried warnings that attackers could exploit them to install rootkits and use that persistent access to surveil an organization's web traffic, potentially stealing data such as credentials.
Further reading: D-Link Won't Fix Critical Flaw Affecting 60,000 Older NAS Devices.
This discussion has been archived. No new comments can be posted.

D-Link Tells Users To Trash Old VPN Routers Over Bug Too Dangerous To Identify

Comments Filter:
  • by MpVpRb ( 1423381 ) on Wednesday November 20, 2024 @02:29PM (#64960365)

    Where devices are designed to last a short time and companies build their business model on customers constantly buying new devices while the companies refuse to repair old devices and use every dirty trick in the book to prevent others from repairing anything

    • by lsllll ( 830002 )

      Lucky for us there are usually alternate OSS firmwares (for routers at least) to load and use manufacturers for what they're best at: factories and assembly lines.

      • Which is why I ALWAYS buy ONLY routers that can run one of the third party firmware out there.. My favorite is Freshtomato, odd name, great replacement for the, often braindead firmware that comes with routers.

        • If it doesn't run vanilla openwrt I don't mess with it. I might consider running a different firmware, but I know openwrt is quality.

          I like going to yard sales and whipping out my phone and checking their hw support db. I am working on getting enough nodes to build an emergency network for my tiny little town.

        • Tomato is an amazing piece of software. Even going back to the original, it was just so well designed as a UI. I don't use consumer stuff anymore; I've got an SMB router and AP's. But man, did that thing unlock so many possibilities of the hardware that the factory software just wouldn't do...

          I've got a Buffalo WHR-HP-G54 and probably 2-3 Asus models sitting in closets gathering dust that have it on board.
        • Some of these routers have apparently been EOL since 2015. Are versions that support hardware that old actively maintained?

    • Where devices are designed to last a short time and companies build their business model on customers constantly buying new devices while the companies refuse to repair old devices and use every dirty trick in the book to prevent others from repairing anything

      I've had my DSR-250 (non-wireless) since 2011. I don't use the VPN features, but do have two VLANs configured -- one for wired devices; one for wireless, off a DAP-2660 -- and both routers have worked great. I've been considering switching to a PC-based router running pfSense / OPNSense / IPFire (etc) but haven't been able to decide on which one and on what hardware. I have a few spare small PCs that would be more than adequate, but they pull a lot more power than a mini/micro device, which I'd have to

    • where devices are designed to last a short time

      The most current device in the list was released in 2014 and had 5 years of patches between being withdrawn from sale and EOL. You're not making remotely the point you think you are.

      • >"The most current device in the list was released in 2014 and had 5 years of patches between being withdrawn from sale and EOL"

        Probably depends on user expectations. That means you could have as little as 5 years of service (or more, if you bought it earlier). I regularly expect to, and do, run devices longer than just 5 years; especially things that are in the background and not fancy.

        The router I am using at home right now is a 10-year old Asus RT-AC68U. But I also bought one that was a bit more ex

        • That means you could have as little as 5 years of service (or more, if you bought it earlier). I regularly expect to, and do, run devices longer than just 5 years; especially things that are in the background and not fancy.

          Indeed. And if we were talking about something other than a cheap consumer toy I'd agree with you. I come from a country where expected performance is codified into law, yet I'd struggle to be able to justify that a sub $100 plastic accessory should last more than 5 years, even though I have had ones last longer myself.

          Ah, just looked, Asus is still releasing firmware, and there was an update a week ago- ASUS RT-AC68U Firmware version 3.0.0.4.386_51720 2024/11/13

          Congrats. You're not talking about a product that has been off the market for 5 years. Just because ASUS sold something for a long time doesn't mean they don't also have an EOL process. I wil

    • That''s what its called.

      It is bad for the environment, bad for consumers wallets, and wastes countless engineering man-hours designing products to break after a defined service life. Companies may be getting away with this now, but I doubt they will be able to get away with this in a few decades.

      We'll either re-implement the way the Bell System worked in the early to mid 20th century and pay rental fees for our hardware, or the purchase prices will will go up sharply. Both of these are OK IMHO and much bett

  • by peterww ( 6558522 ) on Wednesday November 20, 2024 @02:29PM (#64960367)

    Cars that are unsafe get recalled, no matter how old they are. We need the same laws to cover safety-critical digital infrastructure, so companies are forced to make sure their devices are secure, and to force them to fix these old devices, when safety of tens of thousands are at risk

    • "Cars that are unsafe get recalled, no matter how old they are."

      Really? When was the last Model T recall?

    • by DarkOx ( 621550 )

      I don't think that is true. I can find a reliable reference immediately but I think the limit on auto recalls, at least where the manufacturer must pay for the repair/fix is like 10 years. I am not sure if the DOT/NTSB/whatever can't require a recall of vehicles older than 10 years but it might be at the owners cost at that point.

      In any case, it is actually not reasonable to expect a vendor to have to support a product for all eternity. Sure something like a router should last a long time or could but the

      • In any case, it is actually not reasonable to expect a vendor to have to support a product for all eternity.

        No, it is not reasonable to expect a vendor to fix problems with a device that are result or it wearing out. It is reasonable to expect a vendor to make a device without unsafe design flaws (which is what a software bug is).
        It's not that the firmware in the device just wore out. It was designed that way from the start and only now people noticed it.

        I really hate the idea that software never works properly and is supposed to be repaired all the time. Imagine buying a car and it being recalled every month bec

        • by DarkOx ( 621550 )

          meanwhile modern cars are getting OTA updates to software, and the owners just don't realize it.

          Further lots of automotive products (and basically everything else mechanical) has design flaws that get discovered later often much later. Things eventually fail that really should not fail, or they fail prematurely even if they live well beyond the warranty periods. You could say they were never correct.

          You can think of problems like shape of the windows on model years .... don't seal well with gaskets water ge

          • meanwhile modern cars are getting OTA updates to software, and the owners just don't realize it.

            Yeah, I guess until one update does something like Crowdstrike did. That would be fun to watch. Though do you have to have a mobile internet connection when you buy a new car or does the manufacturer pay for it?
            I am genuinely curious, I drive an old car that does not have software.

            A more reasonable solution if anything would be going down the right to repair path and making rules against maintaining artificial impediments like boot-loader signature checks etc to people patching / replacing software. Even that though is going to be a huge mine field.

            I guess that makes more sense.

            With a car design defect (taking your example of door rusting because the gasket does not fit correctly), while I would still consider rust to fall under "wear" problems, a patch can be welded and oth

            • I believe that anyone thinking a ten year old device, Internet-facing, should be supported that long, has shit for brains. This is the Internet, and new and interesting attacks occur almost every day. Hackers gonna hack.

              It is unrealistic to believe that a decade old platform should be supported, given Moore's Law and variants. The rules of depreciation don't work here.

              Yes, a cheap buy got you on the webtoobies. Every IPv4 addresses gets pounded 24/7 by bots. These bots are stupid, until one isn't. It's only

              • It is unrealistic to believe that a decade old platform should be supported, given Moore's Law and variants.

                It's not that we necessarily expect them to continually provide updates for old products, its that we expect that if they stop providing updates, then they should provide the necessary information for the consumers to update them themselves.

                Open source your firmware, and open up your repair instructions, if you're going to stop supporting the product. That's the ask.

                Routers are like tires. They're going to wear out from entropy. Buy new tires.

                Routers are not like tyres, router updates are like tyres. The car manufacturer identifies the specifications of tyre which will work with the

                • I agree that they could open-source it. Their license, a decade ago (or more) might say that the copyright is exclusive, or some other legal rubric that forbids dissemination. I don't know.

                  But for the same reason, entropy eats tires, and entropy eats security components-- especially gear connected to the fabulously dangerous raw IPv4 exposure.

                  Nothing is fixing old tires. Nothing is fixing old routers.

                  • by dryeo ( 100693 )

                    Nothing is fixing old tires.

                    Never heard of retreads?

                    Nothing is fixing old routers.

                    There are alternative operating systems for many of these old routers, just need an unlocked bootloader to load them.

                  • Their license, a decade ago (or more) might say that the copyright is exclusive, or some other legal rubric that forbids dissemination.

                    There's these things called regulations. They exist because companies often like to make money to the negative benefit of society. Sounds like it's time for another one to be made to curtail harmful industry practices.

                    entropy eats security components

                    No, bad design decisions create flawed security components that cannot be fixed without the blessing of the original manufacturer. Who always has a profit motive to have you replace the entire product with a new one. That's not entropy, that's greed.

                    fabulously dangerous raw IPv4 exposure

                    WTF is that even supposed to mean? Anythi

              • Routers are like tires. They're going to wear out from entropy. Buy new tires.

                Routers are not like tyres. Tyres wear out from use, if I don't drive a lot tyres last a long time.

                I just dislike that software devs are given free pass on the huge amount of defects every software has as if it should be normal that every software has the equivalent of 50 bolts that are not tightened and not a single hose clamp in the entire car with the developer fitting a hose clamp or tightening a bolt when it is discovered that something is wobbling or some fluid is leaking.
                And yeah, the owner is not al

              • Yes, it would be great (and a minefield as mentioned above) to permit firmware updates by third parties.

                This should be mandatory.

                Routers are like tires. They're going to wear out from entropy. Buy new tires.

                You just said it was permissible to require replacement of the entire vehicle. Pick a side. If people could buy new tires (third party firmware) they would. No-one wants to replace the entire vehicle (internet facing device) because the passenger door has a broken window (security vulnerability).

            • can't use a 20 year old operating system.

              Windows XP, Vista, and 7 could be reasonably patched by third parties. The kernel would need to be patched to allow an alternative root CA to sign things, but hackers have been doing that for years.

              UEFI systems with Secure Boot will require you to install your own platform key, or otherwise have access to a key that is considered valid for signing a bootloader, but most systems allow this and once past it patching the windows kernel is more or less the same. If you're using Windows 10, you can even reuse

              • I can run the old OS on old hardware (that is one of my gripes - that due to software defects I cannot or should not use the hardware anymore, even if the hardware runs well and can still do the job it originally did).

                While Windows could be patched by third parties, I'm sure if anyone tried that, Microsoft would sue them so fast that it would go faster than light in the process. And that's one of the problems - Microsoft admits that Windows XP has severe design flaws and should not be used as-is, Microsoft

      • by Waffle Iron ( 339739 ) on Wednesday November 20, 2024 @03:02PM (#64960495)

        I am not sure if the DOT/NTSB/whatever can't require a recall of vehicles older than 10 years but it might be at the owners cost at that point.

        I don't know if it's a special case, but I did get a free airbag replacement a few years back on a vehicle that was 21 years old at the time.

        • I don't know if it's a special case, but I did get a free airbag replacement a few years back on a vehicle that was 21 years old at the time.

          The airbag incident definitely was a special case. It wasn't a recall based on the car or the manufacturer of the car. It was due to a global airbag supplier's hand being forced by multiple regulatory agencies all over the world, even the European Commission got involved directly. - That supplier Takata has since gone under after it was found virtually every airbag they ever supplied had a potential defect. Ultimately they recalled over 67million airbags in the USA and double that again in the rest of the w

      • by kackle ( 910159 )
        My daily driver is 25 years old and I still get recall mailings for engine fires. (I haven't found a way to tell them that I've already replaced the engine myself.)
      • If it's a safety issue then there is no time limit. Defects in seatbelts can result in recalls decades later if enough of them start cropping up to get noticed.

    • by rta ( 559125 )

      Emotionally really hard for me not to agree w/ this when i see the language D-Link is using... especially for some products that reached EOL just in May 2024

      "Regardless of product type or US sales channel, D-Link's general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease,"

      "D-Link US is prohibited to provide support for these EOL/EOS products, if you are outside the US, please contact your regional D-Link office," it added. "If your device was provided by a licensed carrier (service provider) and firmware, please contact your carrier (service provider). Many devices on this list have available third-party open-firmware, D-Link does not support open-firmware which voids any warranty and is solely the responsibility of the device's owner."

      Especially the phrase "D-Link US is prohibited to provide support for these EOL/EOS products". Prohibited by whom or what? This is purely a corporate policy. perhaps it is technically true that "D-Link US" is "prohibited" by "D-Link Taiwan" from doing anything about this, but this phrasing is a dodge.

      The truer statement is "D-Link US is choosing

      • Microsoft has some pretty hard lines for its EOL products, but even it has decided here and there to publish patches for EOL platforms when something was serious enough.

    • by gweihir ( 88907 )

      I agree. The situation is becoming increasingly unacceptable.

  • People out there actually trusted D-Link with their VPN? Noobs.

    • by gweihir ( 88907 )

      I have never really trusted any "appliances". VPN, NAS, firewalls, etc. all insecure crap.

      • Sure, that's why I won't buy a router that I can't run openwrt on. I am using a Linksys WRT1200AC, I don't use it for a VPN of course but I do run transmission on it so I can torrent while my PC sleeps. My PC is wired to it and the wifi connects to my ISP's router, which of course I don't trust but it's also a cable modem and I haven't wanted to buy one when theirs works reliably and many have reported problems using third party modems on this network.

        • by gweihir ( 88907 )

          Exactly. I mean, just one week of security alerts for "security" appliances and NAS appliances shows clearly they cannot be trusted. OpenWRT, PFSense, Linux NAS distros, all massively superior to the commercial "This Box will solve your problems! Honest!" crap. And as a bonus, you very rarely have to throw them away because no updates anymore.

  • by Powercntrl ( 458442 ) on Wednesday November 20, 2024 @02:29PM (#64960373) Homepage

    They're all going to end up at Goodwill, right next to the pile of old DVD players.

    • by lsllll ( 830002 ) on Wednesday November 20, 2024 @02:43PM (#64960411)

      Anybody in the situation would surely ask a "computer person" what to do and any computer person worth their salt would tell them to look for an alternative firmware, like OpenWRT or DD-WRT. I haven't kept up as I've long since moved to OPNSense, but there has to be some other new ones, too.

      • Anybody in the situation would surely ask a "computer person" what to do and any computer person worth their salt would tell them to look for an alternative firmware, like OpenWRT or DD-WRT. I haven't kept up as I've long since moved to OPNSense, but there has to be some other new ones, too.

        Two out of the six models affected were EOL’ed in 2015. Just to give you a rough idea of the situation customers are in.

        If you’re still running a router/firewall that stopped receiving support a fucking decade ago, you probably have no idea what a “computer person” is.

      • Anybody in the situation would surely ask a "computer person" what to do and any computer person worth their salt would tell them to look for an alternative firmware, like OpenWRT or DD-WRT.

        There are still Microsoft fanboys out there telling people that everything Linux is bad. Most people who think they're computer people actually don't know shit about shit, just like everyone else. They have limited scope, and know nothing outside of it, but because they know a lot within their scope they think they know a lot in general. Most people don't have experience generations of heterogeneous systems like some of us do here on Slashdot, so they have no basis for comparison.

        Add to this that actual ner

    • They're all going to end up at Goodwill, right next to the pile of old DVD players.

      The DVD players will still work 6 months from now when you power them on.

  • by NewtonsLaw ( 409638 ) on Wednesday November 20, 2024 @02:41PM (#64960403)

    Hasn't D-Link just signed its own death-warrant with this?

    Who in their right mind would buy or use any product bearing the D-Link brand if this is the way they deal with flaws in their products that compromise the security and integrity of users' systems?

    What are they smoking?

    • Hasn't D-Link just signed its own death-warrant with this?

      Who in their right mind would buy or use any product bearing the D-Link brand if this is the way they deal with flaws in their products that compromise the security and integrity of users' systems?

      What are they smoking?

      What alternative do you propose? Can you name a vendor who provides retrospective support for an EOL product that hasn't been sold in quite a while? Even the product in the list with the most recent EOL date is a decade old and hasn't been on the market for a while.

      • My current router is an Asus RT-AC68R/U which according to Asus is no longer supported. Though I bought this router on ebay, I knew it was "unsupported", but since I was planning on putting the FreshTomato firmware on it, which is regularly updated, and has features out the wazoo, that the stock firmware could only wish, I didn't care..

        • I just checked on the Asus page for my RT-AC68U and it *is* still supported- they just put out a new firmware last week for it.

          Mine is running Tomato so I don't care about the factory firmware, but this means Asus is still putting out firmware OVER 10 YEARS after I bought it (which was 10-25-2014). There is a good reason I picked Asus and this particular model :)

        • That router very much is still supported. And it hasn't been withdrawn from sale for anywhere as long as the devices we are talking about. The RT-AC68R actually had an incredibly decent run, being on the market for quite a bit longer than many other devices, but it isn't 5 years past last sale date and it hasn't been listed as EOL yet.

          I have to say kudos to ASUS though, it's still getting firmware updates beyond just security bug fixes. https://www.asus.com/networkin... [asus.com] which is a step above what most compa

    • Is this much better than charging for fixing flaws like many other do?
    • by xack ( 5304745 )
      Tens of millions are still using Windows 7 and XP, people are very reluctant to give up stuff just because it's "unsupported". It affects the Linux world too, see how many python2 installs are still out there.
    • The people shopping on Amazon or at Best Buy will know nothing about this.
    • Information asymmetry is still king. People simply do not know that there are better things out there.

      Similarly, how many people keep paying crazy CC interest and monthly fees to huge banks? If you ever carry a CC balance, get thee to a credit union immediately. And you should never pay a bank fee unless you screw up; if nothing else look at Schwab. That's all real money just thrown away for nothing.

    • by gweihir ( 88907 )

      Who in their right mind would buy or use any product bearing the D-Link brand

      A lot of people are not "in their right mind", and D-Link sales will probably not even be impacted. A working market needs competent buyers. We have too few of them.

  • Synology (Score:4, Informative)

    by JBMcB ( 73720 ) on Wednesday November 20, 2024 @02:42PM (#64960407)

    I'll stump for Synology here. I got an RT5600ac about six years ago. It still runs great, and they still sell and support it with regular security and bug fixes. The great thing about these is they are so old now you can get them used for cheap. I bought a used one from Salvation Army, sans power adapter and one antenna, for $10, that I'm going to use as a mesh extender with the first one. I've seen them on eBay for $40. If you don't absolutely need ax, it's a great option.

    • The most current item in the list was released in 2014, and was in support for as long as your Synology device. If you want to make a compelling argument to switch vendors then you'll need to find one which is appreciably different from D-Link. Synology is not, they also don't patch devices past EOL date.

      • If you aren't familiar with them, Synology is known for supporting their stuff. The DS111 NAS was released in 2010 and had it's latest firmware update last year. That's 13 years of support.

        • NAS != VPN router. I'm happy to be proven wrong, show us a VPN router that was removed from sale prior to 2017 from Synology in current support and I will happily grab my megaphone and rave about them with you.

          Compare like products.

          • Well, the RT2600ac (I got the model number wrong) was their very first router released in 2017, and they still sell and support it to this day. The D-Link DSR-250N was released in 2020 and EOL'd four years later.

            Do you know of any other home router that has had seven years of support? Again, Synology is known for their support.

    • I prefer Mikrotik. Their devices are great, very customizable and have lots of features (some features run slow on some devices though) They also issue updates even for very old devices. I have a device made in 2007 (looking at the date codes on the chips) and the latest version of RouterOS still supports it. I had to recap it though, but, well, electrolytic capacitors do not last forever.

      • I had two routerboards which even when they were new were pathetically unreliable. Whether with RouterOS or openwrt they would freeze at least every few days and I had to restart them. I've heard they are better now, but I'm not willing to take the chance.

        • That makes sense. In my experience Mikrotik devices have been very reliable. The two that started freezing/rebooting/etc were quite old and needed new capacitors. After I replaced the capacitors, there were no more problems with those devices. MT is my go-to recommendation on what router to use for my clients (as the office router etc) and so far, no complaints. I know some ISPs that use Mikrotik CRS switches and they have been reliable as well.

          Strictly for WiFi APs I prefer Ubiquiti UniFi series, but Mikro

  • I recently found out that there are massive routers for cgNAT [ispreview.co.uk] because of multi trillion companies [github.com] refusing to use IPv6, so everyone's new shiny gigabit fiber connections all have to squeeze through a cgNAT tunnel for said websites. Then there are all the old routers, many of them 30 years old in many core networks of ISPs, facing large amounts of DDOS attacks because they refuse to patch their software because they'd rather spend the money on new AI GPUs instead fixing critical hardware. Just wait, there wi
  • by viperidaenz ( 2515578 ) on Wednesday November 20, 2024 @04:27PM (#64960749)

    Limited Lifetime Warranty
    D-Link offers a Limited Lifetime Warranty on the DSR-150 VPN Router to further its commitment to product quality and long-term customer confidence.

  • so you could have bought a new one then and have to to 6 years warranty in the EU.
  • Its highly unlikely D-Link owns any of the ip in side of it. They bought the chips, licensed what ever Stack came with them and probably just slapped on their UI all over it.
    I doubt there is any thing they can really do.
     

  • When it comes to supporting products, D-Link are D-Bags.
  • by upuv ( 1201447 ) on Wednesday November 20, 2024 @06:06PM (#64961013) Journal

    It's very simple cars for many decades in most countries have had laws around them that govern health and safety. Routers do not. Organisations that employ routers may have health and safety laws but routers do not.

    - Thus a 20 year old car will receive a recall if a defect is found that can harm others.
    - A router manufacture will not be required to fix a flaw endangers the users of traffic that traverse it.
    - An organisation such as a hospital will be required to resolve a networking issue that has the potential to impact negatively a person or persons.

    In most western countries the responsibility has been placed on the owners and operators of digital equipment rather than the provider of the equipment. Thus protections do exist it's just that the responsibility of meeting those protections is on different shoulders.

    The beef most people have is that more individuals as owners of these digital products now have to bare the cost of resolving the issue rather than the equipment provider.

    It should be noted that this shift in responsibility is a large contributor to reducing the costs associated with the purchase of these devices. Routers are cheap, like really cheap. Cars these days are not. If the responsibility for safety of a car was on the owner then cars would be extremely cheap. Like $1000 at most. It'd be a death trap but it'd be cheap.

    So how do you protect yourself as a device owner. The only real way is to ensure that you have the power to modify and improve the device. This largely takes the form of running alternative/additional software on the device.

    So always check if it can run software like OpenWRT, DD-WRT, OpenSense etc. Make sure that software packages on the device can be updated via a different source. EG can you install someone else's version of OpenVPN? You don't need to do this with a car. Since the responsibility for safety is on the manufacture.

    So again to complain that the router vendor is responsible is false. You probably don't like this call. But if you want it the other way then the price of routers is going to skyrocket.

  • I trashed your router awhile ago, I'll stick with my MikroTik thanks.

  • If you keep buying stuff from D-Link, you deserve it

Hackers are just a migratory lifeform with a tropism for computers.

Working...