×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

D-Link Patches Critical Vulnerability In Older Routers

samzenpus posted about 4 months ago | from the protect-ya-neck dept.

Security 54

An anonymous reader writes "D-Link has released firmware patches for a number of its older routers sporting a critical authentication security bypass vulnerability discovered in October. The flaw was discovered and its exploitability proved with a PoC by Tactical Network Solutions' security researcher Craig Heffner. D-Link confirmed the existence of the problem a few weeks later."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

54 comments

Well that's good. (5, Insightful)

johnnys (592333) | about 4 months ago | (#45576167)

Good guy D-Link!!!! It's nice to see a manufacturer actually helping out their customers instead of just making them buy a new router.

MOD PARENT DOWN!!! (-1)

Anonymous Coward | about 4 months ago | (#45576269)

What a troll. Sheesh.

Re:Well that's good. (0)

Anonymous Coward | about 4 months ago | (#45576281)

The NSA will be none too pleased about this.

Re:Well that's good. (4, Insightful)

pla (258480) | about 4 months ago | (#45576399)

The NSA will be none too pleased about this.

The NSA wants to have access but keep others out. Known vulnerabilities let the "wrong" spies in. Why do you think *cough* "DLink" *cough* released this patch, anyway?

Re:Well that's good. (0)

Anonymous Coward | about 4 months ago | (#45576695)

More Interesting is why did it take them that long to close their own backdoor. Did they made a new one?

Re:Well that's good. (0)

Anonymous Coward | about 4 months ago | (#45579367)

What no more free wifi?

Re:Well that's good. (1)

wonkey_monkey (2592601) | about 4 months ago | (#45576809)

a manufacturer actually doing whatever they can to mitigate the bad publicity that goes along with the revelation of a critical security flaw

FTFY.

Re:Well that's good. (1)

Anonymous Coward | about 4 months ago | (#45576881)

Yay! D-Link fixed a router firmware! Remember this rare occasion. If past experience serves as a guide, best let the pawns upgrade first...

Re:Well that's good. (1)

Almost-Retired (637760) | about 4 months ago | (#45579285)

Sorry, I don't buy this for more than 10 milliseconds. D-Link customer in Mumbai has an attitude that the customer is a dummy, and when he calls in to get some help with a real problem, he either gets the brushoff, or they ask for the seriel number and suddenly discover the device I bought new from Wally's (I'm out in the puckerbrush, Wally's is as hi-tech as can be driven to locally) a week ago was sold, then returned as defective over a year ago by another dealer , and has been marked as having been destroyed in their records. So I asked for an email confirming it, took the router and the email back to Wally's, got a 100% refund and mail ordered a Buffalo Netfinity that I had to reflash with a real dd-wrt image since their branding covered a menu item I had to have access to.

The next D-Link product that crosses my threshold will be after I hear reliable reports that hell has frozen over a year ago and pigs are using it for an airport runway. IMO its dd-wrt all the way down.

Re:Well that's good. (1)

thegoldenear (323630) | about 4 months ago | (#45581909)

According to Wikipedia, DD-WRT haven't put out a stable release since 27 July 2008!

Re:Well that's good. (1)

Almost-Retired (637760) | about 4 months ago | (#45583449)

Wikipedia is editable by anyone. And no one has come through dd-wrt here that I didn't give them the password to do so. No one. I used to watch the logs while the NK and CN folks hammered on it for hours at a time, but that got boring although I did occasionally cost someone their net account if they were being a big enough pest to DDOS me. Those sorts of attacks have actually decreased, I think they've some sort of a fingerprinting thing now that tells them if its a vulnerable target, so they don't waste a lot of time doing dictionary attacks like they did 5 years ago. The proof is in the results.

I once bought a Siemans router back in my greenhorn days, lasted about 15 minutes before somebody bricked it. I made circuit city eat that one. I had an old slow wintel box with 2 net cards in it that I ran the X86 version of dd-wrt on for 4 or 5 years, stripped, headless, booted from a CF card switched read only. It Just Worked(TM). And this much lower power consumption Buffalo NetFinity with the real dd-wrt reflashed into it has now been standing guard for about 2 years.

So all I can say is, let the results be the proof you need.

Cheers, Gene

Routers impacted (5, Informative)

sitkill (893183) | about 4 months ago | (#45576261)

Vulnerable devices include D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers.

Re:Routers impacted (1)

Anonymous Coward | about 4 months ago | (#45576371)

And what percentage of those do you think will every actually get the update?

Re:Routers impacted (0)

Anonymous Coward | about 4 months ago | (#45580251)

Would love to patch mine (DI-604+) but no firmware upgrade available for this model. The solutions presented to me is to not mess with the remote management settings (but yet make sure it is turned off - luckily it is), or buy a new device. Would connect the (newer) wi-fi router as main if I didn't have to reset the poor thing every two weeks (newer isn't always better since I've had no problems with the 604).

That was actually... pretty fast considering... (0)

Anonymous Coward | about 4 months ago | (#45576307)

Most people expected them never to get patched _at all_

Re:That was actually... pretty fast considering... (0)

Anonymous Coward | about 4 months ago | (#45577077)

The copyright date on the manual for one of those routers was *2002*. Are they really supporting products that old? If so, that's pretty good...

Now the question is.... (4, Insightful)

Dega704 (1454673) | about 4 months ago | (#45576367)

How many of these devices will actually get patched by their users?

Re:Now the question is.... (0)

Anonymous Coward | about 4 months ago | (#45577173)

I did .
D-Link 100

Re:Now the question is.... (1)

kmg90 (957346) | about 4 months ago | (#45584281)

I wonder what the statistics are across the board for all home routers and whether the owners are updating them when likely... My guess is not the majority

Remote Management (1)

Lieutenant_Dan (583843) | about 4 months ago | (#45576377)

I mean, who enables remote management of their router?

I get the fact that sometimes you gotta open stuff up remotely; but in that case, you'd hop onto your jumpbox and then launch a browser to log into your router.

Re:Remote Management (1)

xenoc_1 (140817) | about 4 months ago | (#45580077)

Back in the day, a lot of consumer routers and access points* came out of the box with remote management enabled. It was something that only we geeks knew how to turn off. More importantly, knew why to turn off, and if left on, we had good reason for so doing. With other than the default password. Which leaves the other 99.42% of buyers with it still wide open.

I remember at least one Linksys and one D-Link out of the half-dozen or so I went through in the late-90's through mid-2000's that defaulted to remote management on. After a while I gave up on them and used a homebuilt low-end desktop running Linux as my router, with good old Speakeasy multiple-fixed-IP DSL, and was a happy geek. I moved to the land of "Qwest or Comcast only", before Speakeasy got BestBought and went to evil shit. But Joe Doakes and Jane Smokes are just using those routers as-purchased.

As to a downstream comment about "what ISP provides a router?" the answer is "Most DSL, most fiber, and some cable ISPs." Up through mid-2012 when I left the States for good, Comcast in Colorado was still just providing a DOCSIS modem with one ethernet port. While I was unloading my place there I threw an old D-Link "router" (early-N single-band WiFi/router combo, maybe one of those on the list) downstream from it to get actual routing and DHCP. Time Warner Cable in North Carolina, in the late 2000's was still the same thing, just a modem. When I used Qwest-now-CenturyLink in CO and WA, they provided a combo unit that was DSL modem, router, and WiFi all built in.

So lots of cable modem subscribers have "routers" they bought sitting downstream from their cable modem. Less so, DSL subscribers but some do. A large amoujnt of them may have one of these D-Link units. Thankfully most of those units probably bricked themselves or burnt out by now, but ironically cheapo D-Link routers tended to last a lot longer than their low-end competition. Plenty still trucking along, open to this problem.

* I'm aware that "router", "access point" are different things and that what most consumers call a "router" is a combination of a router and a wireless access point. Point is, most consumers are not.

What percentage will be upgraded? (2)

bobsacks (784382) | about 4 months ago | (#45576383)

It's good that the patch is available, but what percentage do you actually think will get fixed? Your average user isn't even going to know how to apply a firmware update much less be aware that they have a vulnerable router and need to update it.

Re:What percentage will be upgraded? (0)

drinkypoo (153816) | about 4 months ago | (#45576519)

The average user uses the router provided by their ISP; the average ISP provides a wireless connection as well as a wire to the customer. Most of them don't ever buy another router.

Of those who do, a substantial percentage are the type to know what a firmware update is, and why you would want one.

Of those who aren't, I suspect (but have no proof) that a substantial percentage are the type to replace their router periodically anyway, to keep up with their new devices. They go to the store and say that they're not getting the speeds they want, the guy in the store tells them they need some new hot shit wifi that will provide real-world improvements of a couple megabits or so, which is probably enough to solve their HD streaming problem, and they take the old router out and stick it in a cardboard box under the stairs full of wires and wall warts that they'll write "make offer" on the next time they have a yard sale.

Re:What percentage will be upgraded? (2)

garyoa1 (2067072) | about 4 months ago | (#45576991)

What am I missing here? Don't know of any ISP that supplies routers. And even replacing an older router with a faster one won't do a thing for speed. (unless it's bad) Most will handle 10 times the speed that the modem will.

Re:What percentage will be upgraded? (0)

drinkypoo (153816) | about 4 months ago | (#45577289)

What am I missing here? Don't know of any ISP that supplies routers.

What you're missing is knowledge of the topic being discussed. Virtually every broadband internet connection is implemented in this fashion. Whether you get the crappy little DSL modem from ATT or the Xfinity modem from Comcast, you're getting a really crap router with a really crap modem built in; in the former case it's a DSL modem, and in the latter a DOCSIS cable modem. Usually it's no more than 802.11g, but that's adequate for most purposes for users with few wireless devices. The box is installed near the one device to which twisted pair is run, usually the home's most powerful PC, or a gaming device.

Re:What percentage will be upgraded? (1, Flamebait)

Endloser (1170279) | about 4 months ago | (#45577431)

There is no such thing as a stupid question. But there are certainly stupid responses. Try and figure out which yours is.

Re:What percentage will be upgraded? (0)

drinkypoo (153816) | about 4 months ago | (#45577491)

There is no such thing as a stupid question. But there are certainly stupid responses. Try and figure out which yours is.

Instead, I'm trying to figure out if you're actually a different asshole, or another account of the same asshole, trying to look like a different asshole. But your other comment is utterly devoid of value as it does not, in fact, contain any information on what percentage of customers are provided with routers with wireless modems in them. Further, on a completely snarky tip, even customers who do not receive a wireless router are still going to receive a router in the majority of cases. It won't be a wireless router, but oddly, that was not the question asked.

Now fuck off, or I shall taunt you a second time.

Re:What percentage will be upgraded? (-1)

Anonymous Coward | about 4 months ago | (#45577789)

You are a very rude and vulgar person. Shame on you.

Re:What percentage will be upgraded? (0)

drinkypoo (153816) | about 4 months ago | (#45577801)

You are a very rude and vulgar person. Shame on you.

You are a coward, not only afraid to log in but also of free expression of the amygdala. Shame on you, and your fear.

Re:What percentage will be upgraded? (0)

Anonymous Coward | about 4 months ago | (#45579181)

Oh wow, what a witty retort.

Re:What percentage will be upgraded? (1)

Endloser (1170279) | about 4 months ago | (#45577937)

I am a different asshole. That is why I answered the question of the person who you chose to mock in an effort to feel significant.
Feel free to taunt all you want. My constitution is too great for somethig so insignificant to alter.

Re:What percentage will be upgraded? (0)

Anonymous Coward | about 4 months ago | (#45578851)

What you're missing is knowledge of the topic being discussed. Virtually every broadband internet connection is implemented in this fashion.

Some are, some aren't. "Virtually every" is a gross exaggeration, and you have no good reason to act like such a rude snob.

Re:What percentage will be upgraded? (1)

Endloser (1170279) | about 4 months ago | (#45580421)

In fact "virtually every" can be considered "virtually incorrect". Seeing you discuss it as a "gross exhaggeration" and not blowing it off as a total troll made me realize that maybe some people have a perspective that only consumer devices connect to the Internet. And for those people I would just like to point out that the majority of the infrastructure that consumer devices are browsing is connected to the Internet over a physical medium (with a great number still on a base to broad setup).

However there are also a good deal of devices I don't think people usually realize are connected to the Internet with some multi-channel comms in there.
-Your cable set top box may be connected. These are ever increasing in popularity, as it is the perfect place to stick a little DOCSIS modem.
-Lots of gamers wouldn't be caught dead running their consoles over WiFi.
-Home security systems frequently traverse broadband over a direct/intermediary DOCSIS modem with cellular backup.
-Traffic signals and street lights in many municipalities are controlled via the MAN and can be accessed directly from / have direct access to the Internet.
-The same goes for red light cameras.
-To a similar effect, in the private sector, there are tons of CCTV systems that have a recorder which provides Internet access.
-Al Gore. (I probably made that up.)
-And to those who don't work in office buildings, let's not forget that there are still thousands of computers sitting under desks.

So while wireless technology has really taken off, we shouldn't write off just how many devices connect to the Internet over a Copper/Fiber interface.

Re:What percentage will be upgraded? (1)

Endloser (1170279) | about 4 months ago | (#45577423)

Recently many major ISPs have started to provide them as part of the contract.
I can vouch that Verizon and Comcast both provide wireless routers in at least some of their markets.

But to your point and the dismay of many who seem to know it all, there are still quite a few companies (and one of the above) I can also say the opposite for.
Not all markets are the same and I know in some Comcast markets they do not provide a wireless router without an additional charge.
I know ATT and Brighthouse do not offer a wireless router at all in some of their markets.
As well, Verizon's hardware offerings will vary depending upon market (but I have not found one where the equipment is not offered for at least an additional fee).

So I guess the sweeping statements that almost all major ISPs provide wireless routers is true.
But there is a cavaet that it only applies to specific markets.

(Yes, I know this first hand and not via anecdotes. Full disclosure, I probably work in this industry.)

Re:What percentage will be upgraded? (1)

bigfinger76 (2923613) | about 4 months ago | (#45577517)

I know of no ISP in the last 5 years that doesn't offer routers. Easy money every month. To not offer them is leaving a lot of cash on the table - these companies know better at this point. I even worked for a local (rural) telecom about 4 years ago, and we offered them then.

Re:What percentage will be upgraded? (1)

Endloser (1170279) | about 4 months ago | (#45578023)

If you are referring to ISP meaning the corporation, I see the same. But if you investigate individual markets you will likely find even many of the large corporations have coverage gaps for leasing certain equipment. And for some reason wifi routers seem to be one of those pieces of equipment.

Thanks for the intelligent response though. I definitely agree (assuming you are implying this) that in today's day of age most ISPs should take advantage of that easy money. After all, 5 bucks a month on a $40-60 item with a MTBF of 2 years is insane profit.

(And just so some pedantic person doesn't walk on our kind conversation, yes... ISPs provide routes to all of their customers in good standing. And most have routers built into their CPE gateway devices.)

Re:What percentage will be upgraded? (1)

Obfuscant (592200) | about 4 months ago | (#45579643)

Recently many major ISPs have started to provide them as part of the contract. I can vouch that Verizon and Comcast both provide wireless routers in at least some of their markets.

Comcast would happily rent me one of their routers, and I'm beginning to see their wireless routers litter the RF landscape near my house.

Charter Cable would also enable the wireless features on the router I have through them. They apparently stock and install one cable modem/wire+wireless router and then enable what you pay for.

Personally, I bought the cable modem for my Comcast connection, and run a D-Link wire-only router behind it for routing. And then whatever wireless router I feel like behind that. That means I have a firmware update to do tonight.

I wonder if the firmware update will fix a different problem I've discovered? My "router" will happily route non-routeable addresses from the LAN to WAN side. I was setting up some HSMM-MESH hardware using a different net than my home systems and I wanted to nmap them to see what was open. Imagine my surprise when a "Motorola CHS" MAC address responded to the non-routeable address I had assigned one of my MESH boxes. And kept responding after I turned the MESH router off.

Re:What percentage will be upgraded? (1)

petermgreen (876956) | about 4 months ago | (#45580227)

What am I missing here? Don't know of any ISP that supplies routers.

Maybe this is a regional thing, round here pretty much every ISP either gives you a router or tries to sell you one when you sign up for service. Some even insist on you using it.

And even replacing an older router with a faster one won't do a thing for speed. (unless it's bad) Most will handle 10 times the speed that the modem will.

It depends, if you are on ADSL or a slow cable package then it's not going to make much difference.

As you move up to high end cable or FTTC+VDSL services then older routers can certainly become a bottleneck and if you move up to FTTH services then you will allmost certainly need a new router to avoid bottlenecking the connection.

Level of difference made : next to none. (4, Insightful)

richy freeway (623503) | about 4 months ago | (#45576395)

How many people will actually apply this firmware update? 90% of people plug their router in, hook their equipment up to it and leave it that way until it breaks, then they replace it.

Re:Level of difference made : next to none. (3, Insightful)

Anonymous Coward | about 4 months ago | (#45577257)

That is not the point. This release is about patching there corporate image, not the firmware.

Re:Level of difference made : next to none. (0)

Anonymous Coward | about 4 months ago | (#45577901)

My guess is that their lawyers and beancounters just saw an outside possibility of legal liability and that this might mitigate the costs.

Re:Level of difference made : next to none. (1)

jones_supa (887896) | about 4 months ago | (#45578057)

That is not the point. This release is about patching there corporate image, not the firmware.

Well, then they are doing a good job because in my eyes a company that properly supports hardware, does have a better image.

Re:Level of difference made : next to none. (0)

Anonymous Coward | about 4 months ago | (#45578115)

A good job is supporting your hardware pro-actively, without the threat of a public backlash generated by an extraordinary amount of publicity, regarding extremely stupid mistakes.

This fast release for old products is completely out of character, it has "damage control" written all over it.

Re:Level of difference made : next to none. (1)

Arker (91948) | about 4 months ago | (#45577353)

"How many people will actually apply this firmware update? 90% of people plug their router in, hook their equipment up to it and leave it that way until it breaks, then they replace it."

This has broader applicability as well. No matter how much software people may wish otherwise, people treat their hardware like a black box and it makes no sense to them for it to be changing after the fact.

So you have massive vulnerabilities in just about anything ever shipped, because of the way software is developed. (There are other ways to develop, but essentially no one wants to hear about them, because they are slower.) Security depends on updates being applied quickly, yet this is always going to be problematic. Relying on the customer to apply an update (particularly one that has warnings about bricking your box on it) on time is ludicrous in most cases, yet any sort of automatic update system that does not rely on the user to make judgements is just another huge surface for vulnerabilities as well.

Put it all together and security is usually a bad joke.

Re:Level of difference made : next to none. (1)

H0p313ss (811249) | about 4 months ago | (#45577701)

Put it all together and security is usually a bad joke.

Always act and behave as if there is no security for any device with a network connection, everything else is just some form of wishful thinking.

Re:Level of difference made : next to none. (1)

roc97007 (608802) | about 4 months ago | (#45577445)

Can't say, but I can state positively that all of my customers who are currently on a d-link will be upgraded. It's in my best interest, as I'd have to repair the damage if they get compromised.

Re:Level of difference made : next to none. (0)

Anonymous Coward | about 4 months ago | (#45613481)

How many people will actually apply this firmware update? 90% of people plug their router in, hook their equipment up to it and leave it that way until it breaks, then they replace it.

And it won't fix the problem for those people. I still appreciate that they make it possible for the customer to fix the problem.

It would have been better if the product wasn't faulty to begin with but making a fix available is clearly the right thing to do. The only thing better would have been to also offer a replacement router for the less tech savvy people.

Another bug... (3, Informative)

Anonymous Coward | about 4 months ago | (#45576491)

Now they've to patch this... http://www.h725.co.vu/2013/11/d-link-whats-wrong-with-you.html

Re:Another bug... (2)

Zedrick (764028) | about 4 months ago | (#45578577)

Spread it on facebook, twitter etc and they'll do something about it. They don't lift a finger until the marketing department takes notice.

What's wrong with D-Link... well. I worked for D-Link support a long time ago, but it looks like nothing has changed. The people in Taiwan are doing their thing, and there's a lot of layers between them and the end user. I might still be bound by some kind of contract blaha, but one example: they refused to release the gpl'ed firmware sources to customers until I first reported them to the wall of shame on busybox.net, then reported it that my bosses and eventually got them to do something because it looked bad.

Re:Another bug... (1)

enoz (1181117) | about 4 months ago | (#45579793)

Late in 2009 I had the opportunity to setup a brand new D-Link DAP 1522 access point and I discovered a telnet interface with hardcoded credentials in the firmware. I have never disclosed the vulnerability to the vendor or publicly. Four years later the issue is still there on most D-Link SOHO network devices.

(emphasis mine)

I don't doubt the existence of this vulnerability, just the motives and timing behind disclosing publicly on this blog.

Changelog (0)

Anonymous Coward | about 4 months ago | (#45576787)

Just looked at the DIR-100 blob.

Old user-agent: xmlset_roodkcableoj28840ybtide
New user-agent: iNteLalsEtvaLuewitHoutnAme

(Disclaimer: Yes, /bin/webs was touched too. But looking at /etc/wdhttp.sh I have no hopes for a fix that deserves that name: http://pastebin.com/QVLr7CMM )

Re:Changelog (0)

Anonymous Coward | about 4 months ago | (#45577105)

Oh, and note that the files are dated October, 17. So it took them five days to patch the issue, but over a month to release a new firmware (which was announced for early November, by the way).

Are you sure that's it? (0)

Anonymous Coward | about 4 months ago | (#45578117)

I look through my spare routers pile and visited all of my DLink devices' firmware pages. However, all I see are "updated" firmwares (at least dated 2013) with the same versions. So, either D-Link is lazy in updating the version number, or they screwed up their last modified time for these firmwares.

Who Buys D-Link Anyway? (0)

Anonymous Coward | about 4 months ago | (#45582313)

They and Belkin pretty much are the suck.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...