D-Link Tells Users To Trash Old VPN Routers Over Bug Too Dangerous To Identify (theregister.com) 115
Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability. From a report: Most of the details about the bug are being kept under wraps given the potential for wide exploitation. The vendor hasn't assigned it a CVE identifier or really said much about it at all other than that it's a buffer overflow bug that leads to unauthenticated RCE.
Unauthenticated RCE issues are essentially as bad as vulnerabilities get, and D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk. Previous bugs in similar products from other vendors have carried warnings that attackers could exploit them to install rootkits and use that persistent access to surveil an organization's web traffic, potentially stealing data such as credentials. Further reading: D-Link Won't Fix Critical Flaw Affecting 60,000 Older NAS Devices.
Unauthenticated RCE issues are essentially as bad as vulnerabilities get, and D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk. Previous bugs in similar products from other vendors have carried warnings that attackers could exploit them to install rootkits and use that persistent access to surveil an organization's web traffic, potentially stealing data such as credentials. Further reading: D-Link Won't Fix Critical Flaw Affecting 60,000 Older NAS Devices.
This is not how ethical people do security (Score:1)
Re: (Score:2)
That's perfectly ethical. Revealing the details would give information to criminals who would use it to hack people who haven't replaced their devices yet. By keeping it as secret as possible they protect as many people as possible.
Of course, they still have to disclose that the bug exists at all, which they did.
It would be even better if they released a fix. Telling people to replace their devices sure seems like bad business to me. But that is a separate issue from the issue of how much detail they di
Re: (Score:2)
"That's perfectly ethical. Revealing the details would give information to criminals who would use it to hack people who haven't replaced their devices yet. By keeping it as secret as possible they protect as many people as possible."
Security by obscurity: best industry practice. Who knew?
Re: (Score:1)
Ethical people do not help the dumb criminals (Score:2)
"That's perfectly ethical. Revealing the details would give information to criminals who would use it to hack people ..."
Security by obscurity: best industry practice. Who knew?
Strawman, they said "ethical" not "best practices". It is ethical because releasing the info would just help the less competent and less knowledgable criminals. Doing so would make a bad situation worse.
Re: (Score:2)
Nope. "Security through obscurity" is when your initial system design fails to use good security practices, and you rely on "but nobody knows the protocol" or "nobody knows the port" or "nobody knows the password" as your design-level security implementation.
In this case, an unintentional security bug was discovered after release. It is still responsible to issue a patch, but it is also responsible to keep the details a secret to protect users until they can get the patch.
D-Link is refusing to issue a pat
Re: (Score:2)
All that telling owners of affected routers to buy a new one is pretty close to perfectly guaranteed that they will buy some OTHER brand other than these shitheads products.
Re: (Score:2)
Welcome to the future (Score:5, Insightful)
Where devices are designed to last a short time and companies build their business model on customers constantly buying new devices while the companies refuse to repair old devices and use every dirty trick in the book to prevent others from repairing anything
Re: (Score:2)
Lucky for us there are usually alternate OSS firmwares (for routers at least) to load and use manufacturers for what they're best at: factories and assembly lines.
Re: (Score:2)
Which is why I ALWAYS buy ONLY routers that can run one of the third party firmware out there.. My favorite is Freshtomato, odd name, great replacement for the, often braindead firmware that comes with routers.
Re: Welcome to the future (Score:2)
If it doesn't run vanilla openwrt I don't mess with it. I might consider running a different firmware, but I know openwrt is quality.
I like going to yard sales and whipping out my phone and checking their hw support db. I am working on getting enough nodes to build an emergency network for my tiny little town.
Re: (Score:2)
I've got a Buffalo WHR-HP-G54 and probably 2-3 Asus models sitting in closets gathering dust that have it on board.
Re: (Score:2)
Some of these routers have apparently been EOL since 2015. Are versions that support hardware that old actively maintained?
Re: (Score:2)
Where devices are designed to last a short time and companies build their business model on customers constantly buying new devices while the companies refuse to repair old devices and use every dirty trick in the book to prevent others from repairing anything
I've had my DSR-250 (non-wireless) since 2011. I don't use the VPN features, but do have two VLANs configured -- one for wired devices; one for wireless, off a DAP-2660 -- and both routers have worked great. I've been considering switching to a PC-based router running pfSense / OPNSense / IPFire (etc) but haven't been able to decide on which one and on what hardware. I have a few spare small PCs that would be more than adequate, but they pull a lot more power than a mini/micro device, which I'd have to
Re: (Score:1)
Anything with two ethernet ports that will also run OpenBSD.
Re: (Score:3)
where devices are designed to last a short time
The most current device in the list was released in 2014 and had 5 years of patches between being withdrawn from sale and EOL. You're not making remotely the point you think you are.
Re: (Score:2)
>"The most current device in the list was released in 2014 and had 5 years of patches between being withdrawn from sale and EOL"
Probably depends on user expectations. That means you could have as little as 5 years of service (or more, if you bought it earlier). I regularly expect to, and do, run devices longer than just 5 years; especially things that are in the background and not fancy.
The router I am using at home right now is a 10-year old Asus RT-AC68U. But I also bought one that was a bit more ex
Re: (Score:2)
That means you could have as little as 5 years of service (or more, if you bought it earlier). I regularly expect to, and do, run devices longer than just 5 years; especially things that are in the background and not fancy.
Indeed. And if we were talking about something other than a cheap consumer toy I'd agree with you. I come from a country where expected performance is codified into law, yet I'd struggle to be able to justify that a sub $100 plastic accessory should last more than 5 years, even though I have had ones last longer myself.
Ah, just looked, Asus is still releasing firmware, and there was an update a week ago- ASUS RT-AC68U Firmware version 3.0.0.4.386_51720 2024/11/13
Congrats. You're not talking about a product that has been off the market for 5 years. Just because ASUS sold something for a long time doesn't mean they don't also have an EOL process. I wil
Planned Obsolesence (Score:2)
That''s what its called.
It is bad for the environment, bad for consumers wallets, and wastes countless engineering man-hours designing products to break after a defined service life. Companies may be getting away with this now, but I doubt they will be able to get away with this in a few decades.
We'll either re-implement the way the Bell System worked in the early to mid 20th century and pay rental fees for our hardware, or the purchase prices will will go up sharply. Both of these are OK IMHO and much bett
We need a infosec recall law (Score:5, Insightful)
Cars that are unsafe get recalled, no matter how old they are. We need the same laws to cover safety-critical digital infrastructure, so companies are forced to make sure their devices are secure, and to force them to fix these old devices, when safety of tens of thousands are at risk
Re: (Score:2)
"Cars that are unsafe get recalled, no matter how old they are."
Really? When was the last Model T recall?
Re: (Score:2)
Re: (Score:1)
"Cars that are unsafe get recalled, no matter how old they are."
Really? When was the last Model T recall?
Why would you recall a car that isn't used on roads?
Re: (Score:3)
Model Ts are street legal under antique car registration laws. [mtfca.com] Mind you, you can't drive them on the highway because they can't go fast enough (if the speed limit is 55, there's a minimum limit of 45, which a stock Model T would struggle to achieve) But they can be and are driven on roads.
Re: (Score:2)
Model Ts are street legal under antique car registration laws. [mtfca.com] Mind you, you can't drive them on the highway because they can't go fast enough (if the speed limit is 55, there's a minimum limit of 45, which a stock Model T would struggle to achieve) But they can be and are driven on roads.
But no one is telling Ford they should provide support, parts and upgrades
Re: We need a infosec recall law (Score:2)
I've seen Model Ts on the road in California numerous times. Are you being purposefully wrong?
Re: (Score:1)
Why in the fuck would Ford recall an 100 yr old car that you see once a year if you're lucky. I'm sorry you can't understand the simplest of things, but this is slashdot. Why would I be surprised?
Re: (Score:2)
Moving the goalposts, kiddo.
What you said was "Why would you recall a car that isn't used on roads?" and that's what we were talking about.
I'm not surprised you lost track, but do try to keep up with what you said
Re: (Score:1)
Re: (Score:2)
I need help understanding what you think you're doing here, child.
Re: (Score:2)
You should stop doing that and focus, then. You might make something like sense.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
At LEAST 11 years old. I just got an ABS problem on my 2013 Hyundai repaired by a factory recall.
Re: (Score:1)
At LEAST 11 years old. I just got an ABS problem on my 2013 Hyundai repaired by a factory recall.
Daughter has an old 2007 HHR they keep around as a backup and it was recalled for the ignition key switch
Re: (Score:2)
I don't think that is true. I can find a reliable reference immediately but I think the limit on auto recalls, at least where the manufacturer must pay for the repair/fix is like 10 years. I am not sure if the DOT/NTSB/whatever can't require a recall of vehicles older than 10 years but it might be at the owners cost at that point.
In any case, it is actually not reasonable to expect a vendor to have to support a product for all eternity. Sure something like a router should last a long time or could but the
Re: (Score:2)
In any case, it is actually not reasonable to expect a vendor to have to support a product for all eternity.
No, it is not reasonable to expect a vendor to fix problems with a device that are result or it wearing out. It is reasonable to expect a vendor to make a device without unsafe design flaws (which is what a software bug is).
It's not that the firmware in the device just wore out. It was designed that way from the start and only now people noticed it.
I really hate the idea that software never works properly and is supposed to be repaired all the time. Imagine buying a car and it being recalled every month bec
Re: (Score:2)
meanwhile modern cars are getting OTA updates to software, and the owners just don't realize it.
Further lots of automotive products (and basically everything else mechanical) has design flaws that get discovered later often much later. Things eventually fail that really should not fail, or they fail prematurely even if they live well beyond the warranty periods. You could say they were never correct.
You can think of problems like shape of the windows on model years .... don't seal well with gaskets water ge
Re: (Score:2)
meanwhile modern cars are getting OTA updates to software, and the owners just don't realize it.
Yeah, I guess until one update does something like Crowdstrike did. That would be fun to watch. Though do you have to have a mobile internet connection when you buy a new car or does the manufacturer pay for it?
I am genuinely curious, I drive an old car that does not have software.
A more reasonable solution if anything would be going down the right to repair path and making rules against maintaining artificial impediments like boot-loader signature checks etc to people patching / replacing software. Even that though is going to be a huge mine field.
I guess that makes more sense.
With a car design defect (taking your example of door rusting because the gasket does not fit correctly), while I would still consider rust to fall under "wear" problems, a patch can be welded and oth
Re: (Score:2)
I believe that anyone thinking a ten year old device, Internet-facing, should be supported that long, has shit for brains. This is the Internet, and new and interesting attacks occur almost every day. Hackers gonna hack.
It is unrealistic to believe that a decade old platform should be supported, given Moore's Law and variants. The rules of depreciation don't work here.
Yes, a cheap buy got you on the webtoobies. Every IPv4 addresses gets pounded 24/7 by bots. These bots are stupid, until one isn't. It's only
Re: (Score:2)
It is unrealistic to believe that a decade old platform should be supported, given Moore's Law and variants.
It's not that we necessarily expect them to continually provide updates for old products, its that we expect that if they stop providing updates, then they should provide the necessary information for the consumers to update them themselves.
Open source your firmware, and open up your repair instructions, if you're going to stop supporting the product. That's the ask.
Routers are like tires. They're going to wear out from entropy. Buy new tires.
Routers are not like tyres, router updates are like tyres. The car manufacturer identifies the specifications of tyre which will work with the
Re: (Score:2)
I agree that they could open-source it. Their license, a decade ago (or more) might say that the copyright is exclusive, or some other legal rubric that forbids dissemination. I don't know.
But for the same reason, entropy eats tires, and entropy eats security components-- especially gear connected to the fabulously dangerous raw IPv4 exposure.
Nothing is fixing old tires. Nothing is fixing old routers.
Re: (Score:2)
Routers are like tires. They're going to wear out from entropy. Buy new tires.
Routers are not like tyres. Tyres wear out from use, if I don't drive a lot tyres last a long time.
I just dislike that software devs are given free pass on the huge amount of defects every software has as if it should be normal that every software has the equivalent of 50 bolts that are not tightened and not a single hose clamp in the entire car with the developer fitting a hose clamp or tightening a bolt when it is discovered that something is wobbling or some fluid is leaking.
And yeah, the owner is not al
Re:We need a infosec recall law (Score:5, Informative)
I am not sure if the DOT/NTSB/whatever can't require a recall of vehicles older than 10 years but it might be at the owners cost at that point.
I don't know if it's a special case, but I did get a free airbag replacement a few years back on a vehicle that was 21 years old at the time.
Re: (Score:2)
I don't know if it's a special case, but I did get a free airbag replacement a few years back on a vehicle that was 21 years old at the time.
The airbag incident definitely was a special case. It wasn't a recall based on the car or the manufacturer of the car. It was due to a global airbag supplier's hand being forced by multiple regulatory agencies all over the world, even the European Commission got involved directly. - That supplier Takata has since gone under after it was found virtually every airbag they ever supplied had a potential defect. Ultimately they recalled over 67million airbags in the USA and double that again in the rest of the w
Re: (Score:2)
Re: We need a infosec recall law (Score:2)
If it's a safety issue then there is no time limit. Defects in seatbelts can result in recalls decades later if enough of them start cropping up to get noticed.
Re: (Score:2)
Emotionally really hard for me not to agree w/ this when i see the language D-Link is using... especially for some products that reached EOL just in May 2024
"Regardless of product type or US sales channel, D-Link's general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease,"
"D-Link US is prohibited to provide support for these EOL/EOS products, if you are outside the US, please contact your regional D-Link office," it added. "If your device was provided by a licensed carrier (service provider) and firmware, please contact your carrier (service provider). Many devices on this list have available third-party open-firmware, D-Link does not support open-firmware which voids any warranty and is solely the responsibility of the device's owner."
Especially the phrase "D-Link US is prohibited to provide support for these EOL/EOS products". Prohibited by whom or what? This is purely a corporate policy. perhaps it is technically true that "D-Link US" is "prohibited" by "D-Link Taiwan" from doing anything about this, but this phrasing is a dodge.
The truer statement is "D-Link US is choosing
Re: (Score:2)
Microsoft has some pretty hard lines for its EOL products, but even it has decided here and there to publish patches for EOL platforms when something was serious enough.
Re: (Score:1)
Cars that are unsafe get recalled, no matter how old they are.
That is not true at all. In fact I couldn't find any evidence of a car more than 10 years old having ever been recalled.
That said I agree somewhat with your idea. Some of the products being discussed were only recently declared EOL and worse many are still available for purchase. That does need to be addressed.
Re:We need a infosec recall law (Score:5, Informative)
Actually that is true. I had a 2003 Civic recalled for defective Takata airbags just three years ago.
Re: (Score:2)
I kept getting recall notices about once every 6 months or so for my 2004 Pontiac Grand Prix. I never brought it in but had the car from around 2016 to 2021. I assume the person I transferred the title to a few years ago is now getting the notices...
Re: (Score:2)
that was a 'voluntary recall'
You can debate about what exactly that means and what degree of coercion by government was involved it boils down to they decided they'd rather proactively fix older models than face civil suits from victims.
Re: (Score:2)
That has nothing to do with vehicle recalls in the USA. The Takata airbag issue was very much a special case that got direct involvement of not just the NHSTA but governments the world over. It has virtually nothing in common with any other car recall and wasn't remotely handled in the same way. Hint: The recall itself was ongoing for over a decade, and even had the involvement of the European Parliament.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I agree. The situation is becoming increasingly unacceptable.
Re: (Score:2)
Re: We need a infosec recall law (Score:2)
That was what gggp was complaining about, so thanks for showing that you got the point even though you aren't able to follow the conversation.
wait (Score:2)
People out there actually trusted D-Link with their VPN? Noobs.
Re: (Score:2)
I have never really trusted any "appliances". VPN, NAS, firewalls, etc. all insecure crap.
Re: (Score:2)
Sure, that's why I won't buy a router that I can't run openwrt on. I am using a Linksys WRT1200AC, I don't use it for a VPN of course but I do run transmission on it so I can torrent while my PC sleeps. My PC is wired to it and the wifi connects to my ISP's router, which of course I don't trust but it's also a cable modem and I haven't wanted to buy one when theirs works reliably and many have reported problems using third party modems on this network.
Re: (Score:2)
Exactly. I mean, just one week of security alerts for "security" appliances and NAS appliances shows clearly they cannot be trusted. OpenWRT, PFSense, Linux NAS distros, all massively superior to the commercial "This Box will solve your problems! Honest!" crap. And as a bonus, you very rarely have to throw them away because no updates anymore.
I know how this will end (Score:5, Insightful)
They're all going to end up at Goodwill, right next to the pile of old DVD players.
Re:I know how this will end (Score:5, Informative)
Anybody in the situation would surely ask a "computer person" what to do and any computer person worth their salt would tell them to look for an alternative firmware, like OpenWRT or DD-WRT. I haven't kept up as I've long since moved to OPNSense, but there has to be some other new ones, too.
Re: (Score:2)
Anybody in the situation would surely ask a "computer person" what to do and any computer person worth their salt would tell them to look for an alternative firmware, like OpenWRT or DD-WRT. I haven't kept up as I've long since moved to OPNSense, but there has to be some other new ones, too.
Two out of the six models affected were EOL’ed in 2015. Just to give you a rough idea of the situation customers are in.
If you’re still running a router/firewall that stopped receiving support a fucking decade ago, you probably have no idea what a “computer person” is.
Re: (Score:2)
They're all going to end up at Goodwill, right next to the pile of old DVD players.
The DVD players will still work 6 months from now when you power them on.
Seriously? (Score:3)
Hasn't D-Link just signed its own death-warrant with this?
Who in their right mind would buy or use any product bearing the D-Link brand if this is the way they deal with flaws in their products that compromise the security and integrity of users' systems?
What are they smoking?
Re: (Score:1)
Re: (Score:3)
Hasn't D-Link just signed its own death-warrant with this?
Who in their right mind would buy or use any product bearing the D-Link brand if this is the way they deal with flaws in their products that compromise the security and integrity of users' systems?
What are they smoking?
What alternative do you propose? Can you name a vendor who provides retrospective support for an EOL product that hasn't been sold in quite a while? Even the product in the list with the most recent EOL date is a decade old and hasn't been on the market for a while.
Re: (Score:2)
My current router is an Asus RT-AC68R/U which according to Asus is no longer supported. Though I bought this router on ebay, I knew it was "unsupported", but since I was planning on putting the FreshTomato firmware on it, which is regularly updated, and has features out the wazoo, that the stock firmware could only wish, I didn't care..
Re: (Score:2)
I just checked on the Asus page for my RT-AC68U and it *is* still supported- they just put out a new firmware last week for it.
Mine is running Tomato so I don't care about the factory firmware, but this means Asus is still putting out firmware OVER 10 YEARS after I bought it (which was 10-25-2014). There is a good reason I picked Asus and this particular model :)
Re: (Score:2)
That router very much is still supported. And it hasn't been withdrawn from sale for anywhere as long as the devices we are talking about. The RT-AC68R actually had an incredibly decent run, being on the market for quite a bit longer than many other devices, but it isn't 5 years past last sale date and it hasn't been listed as EOL yet.
I have to say kudos to ASUS though, it's still getting firmware updates beyond just security bug fixes. https://www.asus.com/networkin... [asus.com] which is a step above what most compa
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
HP Printer buyers (Score:2)
Similarly, how many people keep paying crazy CC interest and monthly fees to huge banks? If you ever carry a CC balance, get thee to a credit union immediately. And you should never pay a bank fee unless you screw up; if nothing else look at Schwab. That's all real money just thrown away for nothing.
Re: (Score:2)
Who in their right mind would buy or use any product bearing the D-Link brand
A lot of people are not "in their right mind", and D-Link sales will probably not even be impacted. A working market needs competent buyers. We have too few of them.
Synology (Score:4, Informative)
I'll stump for Synology here. I got an RT5600ac about six years ago. It still runs great, and they still sell and support it with regular security and bug fixes. The great thing about these is they are so old now you can get them used for cheap. I bought a used one from Salvation Army, sans power adapter and one antenna, for $10, that I'm going to use as a mesh extender with the first one. I've seen them on eBay for $40. If you don't absolutely need ax, it's a great option.
Re: (Score:2)
The most current item in the list was released in 2014, and was in support for as long as your Synology device. If you want to make a compelling argument to switch vendors then you'll need to find one which is appreciably different from D-Link. Synology is not, they also don't patch devices past EOL date.
Support (Score:3)
If you aren't familiar with them, Synology is known for supporting their stuff. The DS111 NAS was released in 2010 and had it's latest firmware update last year. That's 13 years of support.
Re: (Score:2)
NAS != VPN router. I'm happy to be proven wrong, show us a VPN router that was removed from sale prior to 2017 from Synology in current support and I will happily grab my megaphone and rave about them with you.
Compare like products.
Timeline (Score:2)
Well, the RT2600ac (I got the model number wrong) was their very first router released in 2017, and they still sell and support it to this day. The D-Link DSR-250N was released in 2020 and EOL'd four years later.
Do you know of any other home router that has had seven years of support? Again, Synology is known for their support.
Re: (Score:2)
I prefer Mikrotik. Their devices are great, very customizable and have lots of features (some features run slow on some devices though) They also issue updates even for very old devices. I have a device made in 2007 (looking at the date codes on the chips) and the latest version of RouterOS still supports it. I had to recap it though, but, well, electrolytic capacitors do not last forever.
Networking infrastructure is a mess (Score:2)
Open source DIY? (Score:1)
Re: (Score:2)
Yes. In my case, I'm just running a straight Linux install and managing the firewall myself. I would recommend getting a small Pi-class system with two ethernet ports and no WiFi. Use it as the firewall/gateway for your network and have the access points as separate devices that just bridge the network. In my case, I use Ubiquiti access points, but really, anything you like should work. I used to use a TP-Link, and I connected the ethernet to a LAN port instead of a WAN port to bridge the networks (aft
OpenBSD for DIY routers / firewalls (Score:2)
Re: (Score:2)
Found a 150 on Amazon (Score:3)
Limited Lifetime Warranty
D-Link offers a Limited Lifetime Warranty on the DSR-150 VPN Router to further its commitment to product quality and long-term customer confidence.
Re: (Score:2)
The key word there being "limited" ;)
Some of those devices eol'ed only last year (Score:2)
Every one has missed the point entirely (Score:2)
Its highly unlikely D-Link owns any of the ip in side of it. They bought the chips, licensed what ever Stack came with them and probably just slapped on their UI all over it.
I doubt there is any thing they can really do.
Re: (Score:1)
Hell i would suck a FART on live tv if anyone can actually come up with the source code and tools necerry to actually rebuild it OS and come with a viable way to flash it.
So the gist of it is (Score:2)
Comparing routers to Cars doesn't make sense. (Score:2)
It's very simple cars for many decades in most countries have had laws around them that govern health and safety. Routers do not. Organisations that employ routers may have health and safety laws but routers do not.
- Thus a 20 year old car will receive a recall if a defect is found that can harm others.
- A router manufacture will not be required to fix a flaw endangers the users of traffic that traverse it.
- An organisation such as a hospital will be required to resolve a networking issue that has the pot
Re: (Score:2)
A remote code execution execution vulnerability in your router doesn't kill people.
If you're using your VPN to hide from those who would kill you, it might
Sure thing D-Link (Score:1)
Our companies and the ones we consult to haven't bought D-Link or other poop-line product in years.
We do, however, put them in our evluation matrix every time. They get a fair shot. We kept hoping.
D-Link, congrulations. You now are the number one shitstain of refuslal-to-fix devices.
Go fuck yourselves. We won't be paying you for that effort. Any invenory you have, you can rest assured our
meager capex budget won't move it. Maybe other companies will join us. Maybe you'll go out of business.
Or not. It
Oh, don't you worry dlink (Score:2)
I trashed your router awhile ago, I'll stick with my MikroTik thanks.