Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

D-Link Warns of Vulnerable Routers

kdawson posted more than 4 years ago | from the in-the-front-door dept.

Bug 133

wiedzmin sends in news of a vulnerability in some D-Link home routers. The company has made new firmware available for download. "D-Link announced today that the problem, discovered by security researchers SourceSec, affects three of its wireless routers: DIR-855 (hardware version A2), DIR-655 (versions A1 to A4), and DIR-635 (version B). The problem lies in D-Link's implementation of Cisco's Home Network Administration Protocol, which allows remote router configuration. The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected." SourceSec apparently made their research available, including an exploitation tool, without ever contacting D-Link.

cancel ×

133 comments

Sorry! There are no comments related to the filter you selected.

Where is CowboyNeal? (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30815594)

You insensitive clod! The Library of Congress isn't prime!

Re:Where is CowboyNeal? (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30815950)

He's too busy buttfucking the nullo Rob "Cmdr Flesh Taco" Malda

Wouldn't the responsible thing be... (4, Insightful)

JoshDD (1713044) | more than 4 years ago | (#30815612)

to contact D-Link first? Maybe D-Link could have updated the firmware before this exploit became public knowledge. I doubt SourceSec cares about D-Links customers.

Re:Wouldn't the responsible thing be... (4, Insightful)

Anonymous Coward | more than 4 years ago | (#30815632)

hahahaha
dlink wouldve done jack shit like every other company without being publicly humiliated.

Re:Wouldn't the responsible thing be... (4, Insightful)

Koby77 (992785) | more than 4 years ago | (#30815738)

But what does SourceSac get out of the deal? Is the publicity for essentially releasing a 0-day really going to earn them that much money? Despite their brilliance in discovering such a flaw, I'm not sure anyone would want to associate themselves with this company for security. With friends like this....

Re:Wouldn't the responsible thing be... (1)

Sir_Lewk (967686) | more than 4 years ago | (#30815964)

You are not very familar with the security scene are you? This is just how things operate, hardly anything new.

Re:Wouldn't the responsible thing be... (0)

LOLYouAreWrong (1724080) | more than 4 years ago | (#30816058)

EL WRONG

Re:Wouldn't the responsible thing be... (1)

odd42 (1370641) | more than 4 years ago | (#30816216)

Is this your method of implementing the infamous 'Disagree' mod?

Re:Wouldn't the responsible thing be... (0)

Anonymous Coward | more than 4 years ago | (#30816496)

it's true, silly odd42

Re:Wouldn't the responsible thing be... (0)

Anonymous Coward | more than 4 years ago | (#30816576)

But what does SourceSac get out of the deal? Is the publicity for essentially releasing a 0-day really going to earn them that much money? Despite their brilliance in discovering such a flaw, I'm not sure anyone would want to associate themselves with this company for security. With friends like this....

My personal bet is that someone there has an axe to grind with D-Link. The "which router brand is best/worst" debate ranks right up there with the Microsoft vs. Linux and Apple vs. "PC" wars.

Someone probably just got a hard-on by doing this. My logic? I also see no direct means to profit from releasing the details of the exploit. For an actual security company to release an actual exploit tool serves only one of two purposes, either someone has a way to profit (maybe has a put against their stock?), or has a personal interest in humiliation.

Re:Wouldn't the responsible thing be... (1)

AniVisual (1373773) | more than 4 years ago | (#30816832)

Reputation, my friend, reputation.

Re:Wouldn't the responsible thing be... (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30818088)

It probably has more to do with the fact that SourceSec isn't a security firm. It's an exploit blog. The whole purpose is the launch everything as 0-Day so script kiddies can get out there and use it, making companies look like fools.

Make no mistake, these are the bad guys, they just dress up what they to do have an air of professionalism about it.

Re:Wouldn't the responsible thing be... (4, Interesting)

digitalunity (19107) | more than 4 years ago | (#30815744)

Indeed, this is becoming the reality. Software and hardware vendors have become complacent with the fact that researchers will give them ample time to ignore a problem.

The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.

Re:Wouldn't the responsible thing be... (4, Insightful)

Wrath0fb0b (302444) | more than 4 years ago | (#30816234)

The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.

While that seems reasonable if the vendor either doesn't care or is dragging along on a fix, in this case they didn't even tell the vendor in the first place. Perhaps it's unlikely that DLINK would have responded to the security company but it seems they deserved a chance to do the right thing. It's not that disclosure is wrong, it's just that it's wrong at that stage of the game -- they would have lost nothing by trying to cooperate with D-Link and only disclosing if those lesser steps failed (or took too long). Plus, think about how much worse it sounds:

"Here's a huge vulnerability that we discovered but didn't tell anyone until now. Surprise!"

versus

"Here's a huge vulnerability that we discovered. We went to D-Link 3-4 weeks ago and they wouldn't give us the time of day. Finally, we go through to someone that assigned it a low-priority and has been promising a fix but not delivering. At this point, we are tired of hearing their excuses and we don't think they are interested in fixing it so we are disclosing it."

TL;DR version: Public disclosure is the last resort, not the first. Carrot first, stick second.

Re:Wouldn't the responsible thing be... (2, Informative)

Antique Geekmeister (740220) | more than 4 years ago | (#30817716)

20 years ago, I would have agreed with you. But I survived the Morris Worm attack back then because I'm paranoid, and repeated attacks since then due to vulnerabilities that vendors refused to address. And the secrecy of such graceful submissions just leaves the knowledge in the hands of the crackers, who share it on their warez sites and IRC channels, and not in the hands of reasonable admins who need to assess the risks of patching and the risks of particular products. I've in fact seen this occurr with CERT, where I and peers have submitted security bug reports and seen them buried. And I've got reports from supervisors of security personnel in the US of vendors slapping them with court orders to prevent publication of the vulnerability.

The kind of gracious pre-notification you are suggesting, in this day and age, needs to be earned. And D-Link hasn't earned it, with their history of GPL violations and delay on publication of security vulnerabilities.

Re:Wouldn't the responsible thing be... (1)

Tim C (15259) | more than 4 years ago | (#30817762)

The kind of gracious pre-notification you are suggesting, in this day and age, needs to be earned. And D-Link hasn't earned it, with their history of GPL violations and delay on publication of security vulnerabilities.

And their customers, what have they done to earn the inevitable increase in attacks, other than to not know better than to buy D-Link products?

Re:Wouldn't the responsible thing be... (1)

Aladrin (926209) | more than 4 years ago | (#30817942)

This isn't about carrot and stick. The people that discovered this get nothing from it. They aren't the owners of the company, they don't work for the company, and they probably don't even use the products in question.

In fact, the only thing these people -do- get is recognition that they found some serious flaws in other peoples' stuff. And they get that whether they work with the companies or not. (Sadly, they get -far- more attention if they don't work with the companies, so that gives them a push towards non-disclosure.)

Re:Wouldn't the responsible thing be... (2, Interesting)

BitZtream (692029) | more than 4 years ago | (#30816612)

If by work you mean makes it easy for people to get exploited for no good reason other than 'to make a point (i.e. get some publicity)' then sure it works, as far as protecting people, no it doesn't.

Instead of the potential that a few people may have found the exploit and may be exploiting it, you instead have lots of people most certainly do know about it, including the ones who are most certainly going to take advantage of it. Whats better is that the likely hood of these devices EVER being updated by the majority of their users is as close to less than 0 as you can possibly get. No nag screens or auto-updates for this one, no one outside the geek community is going to even know about it.

It isnt' counter intuitive, its being an attention grabbing douche bag using the name of security as an excuse to gather publicity.

Try to cover it in roses all day long and in the end this behavior will STILL BE BULLSHIT. Get a clue.

Re:Wouldn't the responsible thing be... (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30816660)

Indeed, this is becoming the reality. Software and hardware vendors have become complacent with the fact that researchers will give them ample time to ignore a problem.

The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.

... and how do you explain the release of the handy-dandy exploit tool along with the "disclosure"?

I smell a rat here.

1. No notification at all, not even a couple days.
2. They release not only the problem, but also a TOOL so it can be immediately exploited. (incite FUD)
3. Report that ALL devices since 2006 have this issue. In reality, only a very small number have the issue (people who specifically updated on their own). (FUD ^2)
4. Have a fixed firmware already setup to be installed, since D-Link won't be able to get one out for at least a few days.

Which seems to lead up to a pretty nifty way for someone to get a LOT of malicious firmware installed in a lot of D-Link routers that weren't even vulnerable in the first place. Now I haven't grabbed it yet to see if it's up to any tricks or not. And even if it's "legit", that just means someone at this company either has a hard-on to trash D-Link, or figured a way to profit from a drop in their stock prices.

Re:Wouldn't the responsible thing be... (2, Insightful)

Wrath0fb0b (302444) | more than 4 years ago | (#30816162)

dlink wouldve done jack shit like every other company without being publicly humiliated.

Yes, but it would have been even more humiliating to say "We provided them with an exploit 4 weeks ago and they still haven't done shit, so now we are going public". That has the added advantage of giving them the chance to do the right thing, even if they don't take it and makes them look like douches instead of the security company.

Re:Wouldn't the responsible thing be... (1)

Antique Geekmeister (740220) | more than 4 years ago | (#30817732)

It also gives them the "chance" to slap you with a court order to shut you up. Take a look at the history of the "8lgm", or "eight-legged groove machine". Their old site is at http://www.8lgm.org/ [8lgm.org] : it's a fascinating bit of security and legal history.

Re:Wouldn't the responsible thing be... (2, Insightful)

h4rr4r (612664) | more than 4 years ago | (#30815686)

All that would have earned them is a lawsuit. Plus Dlink would never have fixed it.

Re:Wouldn't the responsible thing be... (2, Interesting)

wvmarle (1070040) | more than 4 years ago | (#30816544)

If that is true, then just publishing it is the only way to go. And that would indeed show stupid arrogance on the side of D-Link (in this case), and will come back to haunt them.

However I still think it would be nicer to first notify D-Link, followed by full disclosure after a reasonable time (which I think is no more than 30 days). That should allow D-Link to come up with a fix in time. If D-Link doesn't then it's time to put them to shame.

Re:Wouldn't the responsible thing be... (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30815696)

I don't think anyone on the planet can find a D-Link security contact. More responsible [microsoft.com] companies [apple.com] make this easy.

http://www.dlink.co.za/support_pr.php (1)

JoshDD (1713044) | more than 4 years ago | (#30815752)

And as far as MS goes they NEED all the help they can get.

Re:Wouldn't the responsible thing be... (1)

Dan667 (564390) | more than 4 years ago | (#30816104)

your going to use Microsoft as an example of what to do with security? haha, that is funny.

Re:Wouldn't the responsible thing be... (1)

fatphil (181876) | more than 4 years ago | (#30817372)

I think you'll find Microsoft are world leaders in security. They should be by now, they've issued more security patches than any other company ever!

Re:Wouldn't the responsible thing be... (0)

Anonymous Coward | more than 4 years ago | (#30817388)

I second that. No contact for security is available on any of their web pages and googling for one yields no result as well.
You can't really blame that you're not being notified if you do not provide a way for it.
Do they expect security researchers to phone them? perhaps at their customers support? at the researcher's expenses of course...

Re:Wouldn't the responsible thing be... (1, Insightful)

OverlordQ (264228) | more than 4 years ago | (#30815754)

So, is it irony that their site links to "Ethical Hacker Network"?

Re:Wouldn't the responsible thing be... (4, Interesting)

davester666 (731373) | more than 4 years ago | (#30815784)

TFA mentions that DLink has published new firmware for the routers already. But I've got a DIR-655/A4, and their support site still only lists firmware from last September (v1.32NA) and the firmware check in the router says it's the latest. Where are these updated firmwares available?

Re:Wouldn't the responsible thing be... (1)

AmberBlackCat (829689) | more than 4 years ago | (#30816092)

The way I'm reading it, they mean the company that found the problem has published its own bootleg patch. I don't think D-Link has done anything. And if I were you, I wouldn't broadcast the fact I had that router.

Re:Wouldn't the responsible thing be... (1)

SpaceLifeForm (228190) | more than 4 years ago | (#30816236)

No sane admin would ever allow remote router configuration anyway, so admitting the use of a router that has a remote exploit, is not really a problem. It is allowing the remote access to begin with.

Re:Wouldn't the responsible thing be... (1)

jimicus (737525) | more than 4 years ago | (#30817018)

You'd better tell all the ISPs that. I know of at least one that thinks they can safely reconfigure a router remotely.

Re:Wouldn't the responsible thing be... (1)

Antique Geekmeister (740220) | more than 4 years ago | (#30817666)

And I know a stack of corporate and educational sites, and household setups, that allow this. Some consider their internal machines secure (which they are not), others consider the "open environment" more important, others consider the ease of remote access for their single admin or their often telecommuting key technical admin more important.

Re:Wouldn't the responsible thing be... (0)

Anonymous Coward | more than 4 years ago | (#30816290)

I'm not afraid. I have one of these routers and if anyone wants to try to hack it, the IP address is 77.232.92.199

Re:Wouldn't the responsible thing be... (1)

MightyMartian (840721) | more than 4 years ago | (#30816434)

I'm not afraid. I have one of these routers and if anyone wants to try to hack it, the IP address is 77.232.92.199

No, it was 77.232.92.199!

Re:Wouldn't the responsible thing be... (2, Interesting)

DigiShaman (671371) | more than 4 years ago | (#30816516)

I pulled a reverse DNS lookup on it. It's static, and points back to servage.net in Germany. But wait, there's more...

Look at all of these registered Domains and where they point to. http://www.robtex.com/ip/77.232.92.199.html [robtex.com]

Clearly the AC wanted readers on Slashdot to become useful idiots in a DOS attack. Not me.

Re:Wouldn't the responsible thing be... (1)

AniVisual (1373773) | more than 4 years ago | (#30816854)

More likely: the AC gave us the IP of goatse.cx, which is actually hosted on ervage.net.

Re:Wouldn't the responsible thing be... (0)

Anonymous Coward | more than 4 years ago | (#30817196)

Actually the reason I posted it was it is also the current IP you get if you ping goatse.cx ;-)

Don't make me upgrade to 1.3x! (1)

ender- (42944) | more than 4 years ago | (#30816134)

That's the latest I see too.

My concern with the DIR-655 is that I'm still at v1.21 [HW rev A3]. I've read nothing but nightmare stories of people with perfectly stable 1.2x routers who then upgraded to 1.3X firmwares and had tons of trouble and instability. At v1.21 my router is absolutely rock solid. This is the best, most stable wireless router I've ever had. If the 1.21 firmware is affected, and I'm forced to upgrade to 1.3X and it causes my router to become unstable, I'm going to be PISSED!

I realize I might as well be wishing for a free Ferrari, a Unicorn and a date with Mira Sorvino, but it would be great if D-Link released a 1.2x firmware with just the fix for this issue. Alas, it is unlikely.

Re:Don't make me upgrade to 1.3x! (1)

Aladrin (926209) | more than 4 years ago | (#30817950)

I upgraded my DIR655 to the latest and started having a lot of trouble. Then I turned off the internal DNS server and POOF, everything was great again. if you hvae trouble after the upgrade that is obviously coming, put that on your list of things to try when you have weird issues.

Re:Wouldn't the responsible thing be... (1)

Farhood (975274) | more than 4 years ago | (#30816356)

Gimme a minute to RTFA, and I'll check your router for you.

Re:Wouldn't the responsible thing be... (1)

Carewolf (581105) | more than 4 years ago | (#30817036)

I see a beta version 1.31EUb02 listed from the 18/1 with the specific changelog of fixing this vulnerability.

Re:Wouldn't the responsible thing be... (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30816580)

Have you ever tried to contact D-Link? Remember, they have DDOS'd NTP servers, and they continue to publish BUGGY dynamic DNS clients even when given bug reports.

D-Link outsources their routers to 3rd parties. The developers can not follow bug reports unless, sadly, they are written in Mandarin or Simple Chinese. And unless the bug report is blindingly and stupidly obvious (or on Slashdot), there's no one at D-Link US headquarters who cares enough to start a billable conversation with the contract developers. Don't expect D-Link QA in India to catch it - D-Link USA did not put this in the test plan! And the router tech support (all outsourced to India) doesn't gain anything by presenting issues back to Corporate.

Yes, I've worked with D-Link in one of the above scenarios. The best way to contact them is via a non-company contact, such as one of their major shareholders. I'm not fucking kidding either.
I'm posting this anonymously because my employer is one of the above mentioned groups, and for years we have been TRYING to get D-Link to fix bugs in their software which affect us.

Bad vendors (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30815626)

I don't blame them. Finding security contacts for consumer hardware companies is next to impossible.

Whether it is D-Link, Belkin, Netgear - I don't believe any of them have a public security page similar to any major software vendors.

Re:Bad vendors (2, Informative)

abigor (540274) | more than 4 years ago | (#30815856)

For companies like these, all of the software and hardware is outsourced, right down to the board layouts and case design. I worked with Netgear a while back, and no one who spoke English as a native language had the foggiest clue of what the software did, or even where the source was.

The same was true of Linksys before the Cisco acquisition, though now all of the development is being dragged back in-house, as is Cisco's preference.

These sorts of companies exist purely as marketing and sales, and don't know much about things like security.

fdsfds (-1, Offtopic)

snj2010 (1723506) | more than 4 years ago | (#30815630)

ugg knightsbridge sale [bestugg.info] ugg knightsbridge shoe [bestugg.info] ugg knightsbridge chestnut [bestugg.info]

Re:fdsfds (5, Funny)

paintballer1087 (910920) | more than 4 years ago | (#30815650)

Because slashdot is the target audience for UGG advertising...

Re:fdsfds (1)

digitalunity (19107) | more than 4 years ago | (#30815750)

lol my thoughts exactly. Slashdot is the anti-ugg crowd. If you wanna spam, at least spam geeky shit. I might click on that.

Re:fdsfds (1)

hairyfeet (841228) | more than 4 years ago | (#30816758)

Yeah, why do we always get the lame spam? To me this is just a sign of a lazy spammer. Target your audience spammers! At least offer us dodgy RAM or fake CPUs or something we might actually care about!

Re:fdsfds (-1, Troll)

Runaway1956 (1322357) | more than 4 years ago | (#30815924)

Real men (not to mention wannabes and dykes) prefer real boots - not fake fur gay shit.

http://www.wolverine.com/US/Gallery/N/WORK.aspx [wolverine.com]

Take your homoerotic crap elsewhere.

Re:fdsfds (1)

Hitokiri Battousai (702935) | more than 4 years ago | (#30816856)

He didn't even fgsfds right...

Wow. (2, Interesting)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#30815646)

Who could possibly have suspected that silently enabling a "remote management" interface with weak authentication could possibly make a device less secure?

To whose benefit is this HNAC stuff, anyway? It seems to be largely invisible to the user and not aimed at them. Are ISPs supposed to be "managing" our routers now?

Re:Wow. (5, Informative)

Anonymous Coward | more than 4 years ago | (#30815866)

Who could possibly have suspected that silently enabling a "remote management" interface with weak authentication could possibly make a device less secure?

To whose benefit is this HNAC stuff, anyway? It seems to be largely invisible to the user and not aimed at them. Are ISPs supposed to be "managing" our routers now?

a) No, ISPs aren't supposed to manage our routers, which is why HNAP is not supposed to be enabled on the outside facing interface. It isn't enabled on the outside facing interface on D-Link routers either, which is why the vulnerability write up mentions that this is an attack either from the LAN or via cross scripting to be executed via the home user's browser.

b) The benefits of HNAP are very simple: management applications can correctly discover network devices on a home network if they implement HNAP, and can manage the devices via a common protocol. You can install an app on your machine that manages your NAS, your router, your streaming media player and whatever else you have on the network - and you don't have to learn their interfaces but can use one common app to do it all in case you're not too technically inclined.

The protocol itself isn't really that bad of an idea - of course it should be implemented securely and ideally should also offer being disabled on a per device basis.

It's a terrible idea. (1)

khasim (1285) | more than 4 years ago | (#30816348)

So, you're surfing from home and you go to a site with a banner and you get a drive by infection.

Now that app can find and configure your firewall to open the port and map it back to you so that you can be used to spread more infections.

Who the fuck thought it would be a good idea to allow other apps to open the firewall?

Re:It's a terrible idea. (1)

0123456 (636235) | more than 4 years ago | (#30816408)

Who the fuck thought it would be a good idea to allow other apps to open the firewall?

Sales and Marketing?

Re:It's a terrible idea. (0)

Anonymous Coward | more than 4 years ago | (#30816422)

So, you're surfing from home and you go to a site with a banner and you get a drive by infection.

Now that app can find and configure your firewall to open the port and map it back to you so that you can be used to spread more infections.

Who the fuck thought it would be a good idea to allow other apps to open the firewall?

What exactly is the problem with management apps reading from and writing to network device configuration as long as it's implemented securely? This is the very same principle as SNMP, for example. Only people not interested in technical details wouldn't be willing to deal with the complexities of SNMP, so an alternative approach was developed requiring device makers to not implement a full SNMP stack but to utilize the usually already existing web interface for consumer grade hardware.

It's too bad D-Link implemented the idea badly but that doesn't mean it's a bad idea.

Re:It's a terrible idea. (1)

0123456 (636235) | more than 4 years ago | (#30816730)

What exactly is the problem with management apps reading from and writing to network device configuration as long as it's implemented securely?

That it won't be implemented securely in many cases.

Effectively you have an RPC interface which can be called by a web browser; that is an insanely bad idea, because any security flaw which exists can be remotely exploited by telling the web browser to access the relevant URL. I don't believe there's any similar way to remotely exploit flaws in an SNMP interface.

Re:It's a terrible idea. (0)

Anonymous Coward | more than 4 years ago | (#30816464)

So, you're surfing from home and you go to a site with a banner and you get a drive by infection.

Now that app can find and configure your firewall to open the port and map it back to you so that you can be used to spread more infections.

Who the fuck thought it would be a good idea to allow other apps to open the firewall?

Presumably the people that figured out that most consumers cannot be bothered to learn the complexities of SNMP administration, and that most low end consumer grade manufacturers have no interested in implementing a full SNMP stack on their devices but could probably be convinced to utilize the usually already existing web interfaces instead.

Just because someone implemented it badly in one instance doesn't mean that centralized network device management is a bad idea. In fact, it's a damn fine idea to bring from professional environments into the home - you just have to be very careful with your defaults.

Re:It's a terrible idea. (1)

jimicus (737525) | more than 4 years ago | (#30817052)

Who the fuck thought it would be a good idea to allow other apps to open the firewall?

UPnP allows something similar. Disabling such features wouldn't necessarily gain much because if malware does get in, it's just as easy to initiate the connection from inside the home firewall and keep it open - with the added benefit that the control server knows which nodes are online because there are connections open to them. Otherwise it'd have to keep a list of which IP addresses are compromised and contact each one whenever it wants to do something - which would be slow, and wouldn't deal very well with offline nodes or dynamically assigned addresses.

Sky is falling! ...I think, maybe. (1)

djupedal (584558) | more than 4 years ago | (#30815708)

>"The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected."

It's one thing to be a commenter/whistle-blower - it is entirely another to be an apologist in the same breath.

Once you pull the trigger, you can't run, catch the bullet and put it back in the same chamber, eh? A simple "only customers who updated their firmware are potentially affected" would have been fine...if only you'd left it there :)

We'll let it go this time, but do it again and it's gonna be all 'look people! point and laugh! point and laugh!!!!

UBICOM Based Routers? (5, Informative)

Fnord666 (889225) | more than 4 years ago | (#30815734)

It looks like this might be a broader issue than just DLink routers. Several comments on TFA seem to suggest that the HNAP remote management interface is a part of the SDK for the board used in these routers. This implies that any router based on this board might have this vulnerability. The DD-WRT hardware incompatibility list [dd-wrt.com] happens to have a list of routers that use UBICOM boards.

Some other UBICOM based devices listed in TFA's comments include:

  • D-Link Wireless 108G Gaming Router
  • SMC Barricade SMCWGBR14-N
  • Netgear WNDR3700
  • ZyXEL's MIMO-N line

Re:UBICOM Based Routers? (1)

tlhIngan (30335) | more than 4 years ago | (#30816254)

It looks like this might be a broader issue than just DLink routers. Several comments on TFA seem to suggest that the HNAP remote management interface is a part of the SDK for the board used in these routers. This implies that any router based on this board might have this vulnerability. The DD-WRT hardware incompatibility list happens to have a list of routers that use UBICOM boards.

Given Ubicom makes their own CPU, I would be surprised if it isn't in all Ubicom boards past a certain software revision. Ubicom CPUs are their own architecture (they have hardware multitasking, and you load a scheduler register with the tasks you want to run. Each clock cycle, it executes one instruction from the designated task (each task has its own register file, and the scheduler register basically sets which register file to use every clock), so Ubicom makes their software SDK. It's complex and hard to get enough that only Ubicom makes the software kit, and the OEMs just do basic customization.

And why hardware multitasking? This way they can do *everything* in software, including Ethernet (they have the MII interface, but it's basically a register you have to load and unload in real time). It's the ultimate in hard real time. But it also means the only software stack from software-based Ethernet MACs to the kernel and network protocols is all their code.

LOL, if they think ,,,, (0)

Anonymous Coward | more than 4 years ago | (#30815746)

SourceSAC didn't come out of LOL town.

DGL-4500 users left screwed (2, Interesting)

DigiShaman (671371) | more than 4 years ago | (#30815786)

If anyone has a DGL-4500 router, and experiences constant lockups with it (forced to power cycle the unit); your not alone. Apparently, there is a bug with DNS forwarding that started with firmware rev 1.21. It's been since July 2009, and the best you can hope for is an update still in beta. We are talking about their newest high-end gaming router here with extra features that make a nice small office router too.

As it stands, users of this model are furious. Some are threatening a class-action lawsuit against them. By all means, please read through the D-Link forum before you think about buying one of their products.
http://forums.dlink.com/index.php?board=144.0 [dlink.com]

Re:DGL-4500 users left screwed (0)

Anonymous Coward | more than 4 years ago | (#30815882)

Honestly it's been a while since I could buy them retail (although I've been looking at meritline to buy them online), but Airlink's routers are freaking awesome. Most are 'obsolete' reference designs from the design firms for the big guys, notably d-link, and with a bit of reading on openwrt can be loaded with custom firmware, but for 25 percent to 75 percent off the price of the equivalent d-link. I haven't had a single piece of hardware from them fail, and I've got about 20 now, ranging from older wired routers to like 4-6 wifi routers, 3 nas units, and a half dozen to dozen IP cameras. All of them except maybe the wired router run linux, all are pretty reliable, and pulling the case off you can have fun checking the silkscreened model numbers against those of the other guy who you would've paid 3x the price for :)

Re:DGL-4500 users left screwed (1)

0123456 (636235) | more than 4 years ago | (#30815922)

Yeah, I've found Airlink products to be pretty good too, for low-cost hardware. Though leaving a passwordless telnet root login open by default on their IP webcam wasn't the most secure configuration ever :).

Re:DGL-4500 users left screwed (0)

Anonymous Coward | more than 4 years ago | (#30816144)

Who would pick anything D-Link/whatever over something as simple as m0n0wall or pfsense or IPCop for a small office? Sounds like someone hasn't been doing their homework.

Re:DGL-4500 users left screwed (1)

clarkn0va (807617) | more than 4 years ago | (#30816300)

As much as I do love m0n0 and PFS, it's not really the same market. These require x86 hardware, while DLink caters to the low-cost OTC MIPS-type stuff, much more appealing to the non-techie home and SOHO user, to whom I enthusiastically recommend Tomato-compatible hardware, such as the always-on-sale ASUS WL520-gu.

But yeah, I've never understood why DLink is as popular as it is. I've seen countless numbers of those things either fail right out of the box, or begin to fail, either outright or in subtle ways, just months after purchase. I'm not sure similar brands like Trendnet or the Best Buy rebate of the week are any better, and the Linksys brand has certainly gone into the sewer in recent years too, but DLink? That crap is everywhere. It's like the Norton of networking hardware.

Re:DGL-4500 users left screwed (1)

DigiShaman (671371) | more than 4 years ago | (#30816338)

For an office of say 10 employees, a SOHO router is just fine. It's cheap, easy to configure, and solid state. They can also be mounted on a telco baseboard along with the rest of the equipment too. Why cobble together a used PC (or new) to run M0n0wall for just 10 users? Not worth the time IMHO. Just plug in a WiFi Linksys box and be done with it!

Re:DGL-4500 users left screwed (1)

Giometrix (932993) | more than 4 years ago | (#30816456)

If anyone has a DGL-4500 router, and experiences constant lockups with it (forced to power cycle the unit); your not alone. Apparently, there is a bug with DNS forwarding that started with firmware rev 1.21. It's been since July 2009, and the best you can hope for is an update still in beta. We are talking about their newest high-end gaming router here with extra features that make a nice small office router too.

As it stands, users of this model are furious. Some are threatening a class-action lawsuit against them. By all means, please read through the D-Link forum before you think about buying one of their products. http://forums.dlink.com/index.php?board=144.0 [dlink.com]

Odd, I have this model... and with v1.15 (2008/10/29) the admin page says I have the latest version of the firmware. I wonder if they stopped pushing anything that came later.

Attack is Significant but Will not be Pandemic (3, Informative)

phantomcircuit (938963) | more than 4 years ago | (#30815846)

This attack only works when a system on the LAN initiates it.

It is possible to get a system on the lan to initiate it with a DNS rebinding attack and javascript on a malicious web page, but that is far from a trivial attack.

I'm guessing that this is successfully used only in highly targeted attacks.

Re:Attack is Significant but Will not be Pandemic (0)

Anonymous Coward | more than 4 years ago | (#30815970)

This attack only works when a system on the LAN initiates it.

It is possible to get a system on the lan to initiate it with a DNS rebinding attack and javascript on a malicious web page, but that is far from a trivial attack.

I'm guessing that this is successfully used only in highly targeted attacks.

That depends on who your attacker is. If, for example, one of the more popular ad servers out there decided to hijack people's routers, then a lot of vulnerable people would be pretty well fucked all at once.

Re:Attack is Significant but Will not be Pandemic (1)

MichaelSmith (789609) | more than 4 years ago | (#30815988)

How about just busting into their wifi? There is an AP near the tram stop I use called "DLINK". I use it some times to check stuff while waiting for the tram to go. Now every time I go past an AP called DLINK (and there are a lot of them) ubuntu tries to connect. A lot of the time it gets on too.

Re:Attack is Significant but Will not be Pandemic (1)

jamesh (87723) | more than 4 years ago | (#30816442)

Now every time I go past an AP called DLINK (and there are a lot of them) ubuntu tries to connect.

This is the big problem with unsecured access points. Linux is probably pretty safe but if you have an unsecured access point called 'DLINK' at home and you run Windows with the network set to 'home' or 'work' then it is going to connect to any unsecured access point called 'DLINK' (how would it tell the difference?) and you could be pwned pretty readily either by the owner of the access point or by someone else who just happens to be connected too.

Re:Attack is Significant but Will not be Pandemic (1)

MichaelSmith (789609) | more than 4 years ago | (#30816816)

if you have an unsecured access point called 'DLINK' at home and you run Windows with the network set to 'home' or 'work' then it is going to connect to any unsecured access point called 'DLINK' (how would it tell the difference?)

The MAC address?

Re:Attack is Significant but Will not be Pandemic (1)

jamesh (87723) | more than 4 years ago | (#30817188)

The MAC address?

Hmmm... that is visible but I don't think Windows pays any attention. Otherwise if you added another unsecured 'DLINK' SSID down the other end of your house it wouldn't 'just work'.

Re:Attack is Significant but Will not be Pandemic (1)

Carewolf (581105) | more than 4 years ago | (#30817782)

I can't say for all the affected routers but the D-Link 655 has a guest mode for unsecured wireless networks. This means this essid only provides internet and not access to the LAN. To get to the LAN you need to use the other secure essid (the router can handle multiple wireless networks with varying security).

Re:Attack is Significant but Will not be Pandemic (0)

Anonymous Coward | more than 4 years ago | (#30816940)

If anyone has a DGL-4500 router, and experiences constant lockups with it (forced to power cycle the unit); your not alone. Apparently, there is a bug with DNS forwarding that started with firmware rev 1.21. It's been since July 2009, and the best you can hope for is an update still in beta. We are talking about their newest high-end gaming router here with extra features that make a nice small office router too.

huh (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30815914)

well call me a faggot nigger!

Re:huh (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30816222)

You're a faggot nigger.

It's IEs fault! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30815930)

Those niggers at Micro$oft fucked us again!

Just checked D-Link's website (1)

bytethese (1372715) | more than 4 years ago | (#30815978)

I don't see any update for the DIR-655, last firmware is from 07/2009, v1.32NA.

I hope they release soon, I know a few not so savvy users who have this model.

Re:Just checked D-Link's website (1)

AmberBlackCat (829689) | more than 4 years ago | (#30816112)

Do you have any suggestions for a good wi-fi router, without replacing the firmware with your favorite open source firmware?

Re:Just checked D-Link's website (1)

crispytwo (1144275) | more than 4 years ago | (#30816156)

Whatever you do, don't install v1.32NA. It's garbage! I wish I never did!

I've been waiting for an update for months now, with a reboot every couple of days.
When it works, it's fine, but it is not certainly not stable.

Re:Just checked D-Link's website (1)

Aladrin (926209) | more than 4 years ago | (#30817964)

Turn off the internal DNS stuff (DNS Forwarding, I think it was called?). That fixed it for me. I was really upset about it until I found that fix.

Not afraid of this one (0)

Anonymous Coward | more than 4 years ago | (#30816008)

If you are that high tech, you probably would have a custom Router anyway? Hmmmmm.

I have nothing to contribute to this conversation (0, Offtopic)

Anrego (830717) | more than 4 years ago | (#30816038)

I really don't :(

Hopefully this whole thing gets corrected without too much harm :)

Re:I have nothing to contribute to this conversati (1)

ibsteve2u (1184603) | more than 4 years ago | (#30816610)

Don't feel bad. All I have to contribute is "A stable rev of dd-wrt for the DIR-655 that addresses speed issues with the existing version, and I won't care." (Besides, my wireless routers are behind another unaffected router.)

Problem Is More Widespread Than Reported! (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30816082)

This is nothing new. In fact, review the many easy hacks against several router manufacturers and you'll discover a lot of them (many exploiting uPnP) have FAILED to patch these issues for many YEARS. A good many of these routers are wired routers with the public being told to buy a wireless router instead (many of which remain unpatched to several malicious exploits!) when all they really want is wired. Many wise individuals do not want to go wi-fi nor should they be forced to do so.

Search for some of the exploits yourself, many of them uPnP, visit the router manufacturer's webpages listings for each of their routers, check their latest firmware update release and discover for yourself just how many routers haven't received any updates for years. What's even more shocking is many of these routers CONTINUE to be sold IN STORES and online, often the boxes still claiming how much security they offer when no firmware updates are available for many of them! Many old firmware patches resolve some issues with uPnP but do not offer protection against newer uPnP (and other) attacks!

This is clearly insane!

Router manufacturers should continue to patch old routers, especially those products of theirs still being sold in brick and mortar retail outlets!

This is obviously being swept under the rug, as many individuals who have been screaming on manufacturer's forums, mailing lists, e-mails, even via snail mail are being disregarded, posts/threads being shuffled off quietly, people being told to buy a newer router than the one at the store which claimed to offer a good degree of security, only to find their newer router purchased often with old firmware and no modern firmware available!

Governments and people need to hold these manufacturers accountable!

Re:Problem Is More Widespread Than Reported! (0)

Anonymous Coward | more than 4 years ago | (#30816168)

Router companies would then have to charge $400 for a consumer grade router. It is a trade-off that is unfortunate. Either price the router factoring in a 10+ year supported life if not more, or price them low, and run them obsolete.

If it were up to me, the absolutely best choice would be to have the router be open sourced and flashable. This way, a router that ends up EOL still has a way to get flashed by modders so the security of it remains solid, even after manufacturer support has long since ceased.

Re:Problem Is More Widespread Than Reported! (1)

clarkn0va (807617) | more than 4 years ago | (#30816312)

Tomato. [polarcloud.com]

Re:Problem Is More Widespread Than Reported! (0)

Anonymous Coward | more than 4 years ago | (#30816424)

good suggestion but that's for wireless routers, NOT wired which the parent poster was mainly referring to.

Also, inclusion is very limited, per Tomato's homepage:

"Routers that are known to work with Tomato:

        * Linksys WRT54G v1-v4, WRT54GS v1-v4, WRT54GL v1.x, WRTSL54GS (no USB support)
        * Buffalo WHR-G54S, WHR-HP-G54, WZR-G54, WBR2-G54, WBR-G54, WZR-HP-G54, WZR-RS-G54, WZR-RS-G54HP, WVR-G54-NF, WHR2-A54-G54, WHR3-AG54
        * Asus WL500G Premium (no USB support), WL500GE, WL520GU (no USB support)
        * Sparklan WX6615GT, Fuji RT390W, Microsoft MN-700"

That's several, but not enough.

Re:Problem Is More Widespread Than Reported! (1)

0123456 (636235) | more than 4 years ago | (#30816396)

Router companies would then have to charge $400 for a consumer grade router.

Producing a router that doesn't have a fancy web interface that allows any web site to reconfigure it with an embedded image URL is likely to be cheaper than producing one which does have a fancy web interface with vast security holes.

The problem is that the companies go out of their way to make routers 'user-friendly', and in the process make them cracker-friendly too.

Let me be the first idiot to ask, (0)

Anonymous Coward | more than 4 years ago | (#30816206)

Does it matter, presuming your computers are all safely configured for direct connection to the net? Or does a vulnerable router mean you're wide open to say a man in the middle attack?

Re:Let me be the first idiot to ask, (1)

0123456 (636235) | more than 4 years ago | (#30816386)

I don't know how far this attack goes, but there was an attack on some models of home routers in Mexico a while back which used an embedded image URL to reprogram their DNS to forward connections to a bank site to a phishing site so that they could steal passwords. If you can reconfigure the router in arbitrary ways then you can pretty much take control of the Internet as far as the computers on the LAN side are concerned, at least if they use DHCP to get their network information.

This is one reason why I have hard-coded all my computers to use the ISP's DNS servers rather than the router.

Re: Hardcode to ISP DNS server, (1)

ibsteve2u (1184603) | more than 4 years ago | (#30816568)

I reckon it depends on how much you trust your ISP (Is it Comcast? comes to mind), but you could roll your own DNS server [isc.org] .

DI-524 workaround? (1)

hobdes (678049) | more than 4 years ago | (#30816240)

I've got an affected router (DI-524 Rev C1 v3.23 firmware). From the advisory:

Older models, such as the DI-524, require authentication for all of the supported SOAP actions, but allow both the administrator and user accounts to execute any of these actions. This allows a malicious individual to use the often-ignored user account (default login of 'user' with a blank password) to perform administrative actions

If I read that right I should be fine as long as I secure the user account as well as the admin account. (And, of course, disable remote access.) Can anybody confirm/correct? Thanks.

Only fools buy D-Link trash anyway (1)

Fotograf (1515543) | more than 4 years ago | (#30816508)

from routers, switches to cameras, all i have seen is half finished overpriced junk

DIR-615 (1)

Nonillion (266505) | more than 4 years ago | (#30816918)

Maybe that's why the last DIR-615 was acting strange, I replaced it with another DIR-615 but it has firmware version C1. Guess I'm safe, for now..

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>