Dlink has a long history of putting out insecure and even backdoored devices and so anyone with a dlink device is probably better off buying something different
> Dlink has a long history of putting out insecure and even backdoored devices and so anyone with a dlink device is probably better off buying something different
Except for unmanaged switches. These little D-Link unmanaged switches are little workhorses: I've got several so old I don't remember when I bought them. I take it D-Link didn't manage to fuck up even unmanaged switch?
But seen their approach to security, I probably won't buy D-Link again.
I think they actually did manage to fuck up even the small unmanaged switches. I have three unmanaged switches at home, one on the ground floor and two in the first floor. Ground floor is an 8 port netgear, first floor are one to link and one d link.
Every couple of weeks, the entire wired network goes down. Not even pinging adresses works. The d links ports leds are all flashing (perfectly in sync!) until I power cycle it. Then everything goes back to normal.
I have no idea what happens, and I should probably replace the d link soon.
Are you aware about broadcast storms? Perhaps you somehow accidentally introduced a loop in the network? The symptoms fit that exactly. https://en.wikipedia.org/wiki/Broadcast_storm
I haven't enabled jumbo frames knowingly on my system, but even if I had, why would the issue occur only every few weeks? Also, it seems to be rather independent of the actual network load.
DLink were for me one of the least reliable small unmanaged switches I tried over the years. Out of those I have had (I have about 7 in the house, they get replaced when one dies), there was DLink, Linksys, HP, Netgear and TP-Link, the TP-Links are byfar the most reliable in so much as I have never had one die, and now all my switches are TP-Link as all of the others gave up the gost.
If anyone is looking for alternatives as far as long term supported products go... I've had nothing but good experiences with Ubiquiti (Unifi) and OpenWRT. At the lower end of the price spectrum, OpenWRT supported devices can be an incredible value, and most will probably remain supported for decades to come.
More broadly, it's not just about the support commitment but also about the company's reputation for shipping solid software. i.e. what is the prior on a scenario like this after the product goes EOL.
Regarding supporting devices long-term, I can still get current version official OpenWrt for the Netgear WNDR3700v2, which I think is about 15 years old at this point.
I always try to find out what's one of the best-supported OpenWrt routers at the time I'm shopping. And can I get one (or a few) of them on eBay at great prices.
WRT54-GL, WNDR3700(v2,v4) and WNDR3800, Netgear R7800.
I also have an OPNsense box that I'm evaluating. But, since OPNsense (FreeBSD) isn't strong on WiFi, I'd need to pair it with separate WiFi APs (running OpenWrt). I'm not liking the extra complexity, when an OpenWrt R7800 still does everything I really need right now.
> At the lower end of the price spectrum, OpenWRT supported devices [...] will probably remain supported for decades to come.
Not really. Each newer OpenWRT release needs slightly more storage and memory than the previous one, and these devices at the lower end of the price spectrum tend to have as little storage and memory as they can get away with. Older devices with as little as 4 MB of storage and/or 32 MB of memory are already unable to run current OpenWRT releases, and devices with 8 MB of storage and/or 64 MB of memory are already on the way out. But yeah, other than that OpenWRT does tend to support devices way past their original EOL.
Counterpoint: The original "Google Wi-Fi" Mesh routers (the hockey puck looking ones) from about 10~ years ago come with *4GB* of storage and 512MB of RAM [1]
It's not just those. The 16 MB storage/128 MB flash recommended minimums are a non-issue for pretty much any remotely popular router in the 802.11ac wifi era, and I doubt OpenWRT will suddenly explode in size and blow past those limits any time soon (just look at its trajectory over the past decade).
The storage is eMMC, basically the cheapest thing available once you've committed. You'd have to actively try to buy eMMC smaller than 2-4GB. Same for the RAM, that's a single chip. It's not a heavy spec, just somewhere near the bottom of the cost curve for those particular parts.
They probably used similar parts in another product and threw them into the routers for the additional order volume, known bring-up risk, and dev benefits. The pixel series also uses Samsung eMMC, iirc.
I disagree with your sentiment. I think the routers openwrt has dropped support for are super low spec, like $20. And they still run older versions of openwrt.
You could probably also just run openwrt with out a gui and probably do fine.
Additionally, I like that openwrt works on higher end boxes now, like the zyxel gs1900 12, 24 and 48-port switches.
Note that the limit only applies to base OpenWRT installation. I have successfully configured my ancient router to boot from the router's USB storage (64gig flash drive)
N100 is an excellent chip to go for.
I'm currently using a aliexpress special with a celeron n5105 chipset in it.. it works fine as well, but I'd opt for the N100 next time if I had to replace it.
Celeron N5105
CPU: Intel Jasper Lake Celeron Processor N5105, 4 core 4 threads,64 bit, 10nm, 2.0GHz up to 2.9GHz, 4M cache
GPU: Intel UHD Graphics GPU, 24EU, 450MHz up to 800MHz
vs
Alder Lake N100
CPU: Intel Alder Lake Processor N100, 4 core 4 threads,64 bit, 10nm, Up to 3.4GHz, 6M cache
GPU: Intel UHD Graphics GPU, 24EU, Up to 750MHz
I bought a N100 model to run as my backup server (PBS etc) and its a cracker. Debian is so snappy on it.
Also running OPNSense (in a VM) on an N5105 from an AliExpress mini box, with four Ethernet ports. Thing gets hot though, passively cooled, but I put a fan on top of it.
Also runs another VM with some lightweight docker containers. Reliable little thing.
I think OpenWRT is the right approach at this point. Open source really excels where there is a 'commons.' We all have a shared interest in secure networks. Commercialized gate keeping of router firmware doesn't make sense. These manufactures should just switch to OpenWRT and skin it.
> These manufactures should just switch to OpenWRT and skin it.
Take a look at Teltonika, that's basically what they do, but with nice over-provisioned hardware. Comes with the "industrial" price tag, but theirs is the most rock solid network gear I've ever used, and you actually receive frequent router and modem firmware updates.
I have one of their RUTX50 (5G LTE modem/router) at home and get about ~550 Mbit's through it, best internet I've ever had. I've never been forced to reboot it. I tried some consumer 5G modems before that and they were a total waste of money. I've also used their non LTE gear elsewhere and it's the same pleasant experience, and naturally highly configurable due to OpenWRT without having to hack around.
Look I am just being grumpy about this and I know it has nothing really substantive to do with the underlying story, which is D-Link EOL'ing products, but: there is really no such thing as a "9.8" or "9.2" vulnerability; there is more actual science in Pitchfork's 0.0-10.0 scale than there is in CVSS.
I didn't find most of the affected models there, and for these which I did, pages are full of warnings like that OpenWrt support is obsolete since 2022 and/or that 4 MB of flash and 32 MB of RAM is not enough to do anything useful
Not only was "the intern" tapped to write code that accepts user input from HTTP and also use system administration shell commands - and use C to do raw string handling, for that matter; who knows if `buf` is properly allocated? - but there was either no review/oversight or nobody saw the problem. Plus there are two layers of invoking a new program where surely one would suffice; and it's obviously done in a different way each time. Even programmers who have never used Linux and know nothing about its shells or core utilities, should be raising an eyebrow at that.
Meanwhile, people want to use AI to generate boilerplate so that their own company's "the intern" can feel like a "10x developer" (or managers can delude themselves that they found one).
Wasteful choice enabled by not being entirely responsible for pollution, energy consumption and trash. If they had to pay for environmental full restoration, energy at full cost and careful disposal of unsuitable hardware decision would have been different.
To be fair, CVE scores generally don't seem very useful in assessing the real impact of a security vulnerability. The CUPS thing was a 9.9 and that was completely irrelevant for a large swath of people.
Same as the NPM warnings. It’s always screaming that there are a billion super critical vulnerabilities, but when I look in to them it ends up being stuff like “if you put a malicious regex in to your own config file, your js linter will get stuck”
The 9.8 CVE was for their NAS. Exposing any NAS directly to the open Internet is a Bad Idea.
For that matter, nearly every shit-tier NAS vendor (WD, QNAP) has had some critical remote vulnerability in recent years. Some were notable for mass data loss incidents.
That aside, these companies are all very good at making very, very nice hardware at a price point consumers can afford. Some corners have to be cut and it's often software.
The dirty secret is many Internet of Shit device vendors outsource the software development, often to the lowest bidder in some offshore sweatshop. In some cases it's just a repackage of an ODM design from some no-name company in Shenzhen.
None of which are known for secure coding or good software practices.
Criticize all you want but this is a textbook example of getting what you paid for.
It's unreasonable to pay $100 for a D-Link box and expect it's Cisco ASA quality with free indefinite support.
Cisco, Juniper, and Palo Alto would all tell you to pound sand if you expect support after EOL or if you let your maintenance contract (aka protection racket) lapse.
This is a command injection through a basic GET giving instant root access. Definitely worth a high score. These days I'm pretty sure browsers won't let you put a private IP in an <img> URL anymore but for the past 10-13 years there have definitely been browsers where visiting a web page is all you needed to do to get your NAS hooked up to a botnet.
The problem is the way those specifics are handled. The Complexity metric is intended to handle the "specific configuration required" scenario but nobody is really incentivized to properly score their stuff.
It's a shame that MikroTik routers' UI is completely unsuitable for non-powerusers.
Otherwise they would be perfect. Cheap and supported practically forever. Their trick seems to be that they use a single firmware image for all routers with the same CPU architecture.
They've been trying lately though, you can supposedly set one up for a basic pppoe and dhcp scenario using the Mikrotik phone app and they have a Back To Home wireguard VPN setup app
Can't there be a law that says something like "you can't release new hardware while you have unpatched older hardware still in use"? Recall or update your stuff first, release new things second.
Skimming the regulation text, it seems it requires the manufacturer of a connected device to report on and quickly fix vulnerabilities within the device's "support period". The support period for device classes still has to be determined, but it seems it is a vital requirement for a device to get a CE certification (without which it otherwise is not allowed to be put on the EU market).
These devices were produced back on 2011 I believe. Even with the CRA, I don't think much would change. A decade is definitely the high end of reasonable required software support for cheap budget NASes in my opinion. Of course stores would be forced to stop selling any remaining stock of them, but I doubt that's much of a problem, really.
Though, as a life-long Android user, I've been jealously looking at how long apple have actually been supporting their iPhones (at least since the iPhone 6) and I'm seriously considering switching.
The 6S, 7, 8 all got feature updates for 7 years, and are still getting security updates after 9 years. The iPhone XS is still getting feature updates after 6 years. On Android, you are lucky to get 3 years of feature updates and 5 years of security updates.
Google do seem to be improving here, with 7 years of support for Pixel 8 and 9, and 5 years for Pixel 6 and 7. Earlier models got 3 years which was barely acceptable.
How would that be defined? What about low CVEs? Does that mean a company cant release a keyboard while theres unpatched network switches? What about devices that are hybrid like no releasing DSL modems but what if it has an integrated switch? Does that mean no switches too? Whos going to enforce this? I cant see a way this would't be turned into a "game the system" and wouldn't solve the unpatched product problem at all.
If you as a user want third-party firmware usually you can jailbreak and install it yourself (especially if the original firmware has zero security). If we allow a vendor to choose to make "the community" responsible for their firmware, almost every vendor will choose that as quickly as possible (e.g. one year).
Wouldn't the overlap between “people who run OpenWRT” and “people who use EOL D-Link routers” be "people who run OpenWRT on EOL D-Link routers"? The table of supported hardware at the OpenWRT site lists several D-Link models which can run the latest OpenWRT release, and several of them are marked as "discontinued" (that is, no longer sold), a few of them even being in that status for more than five years.
I don't know, I've installed openwrt on each device I've owned especially because their original firmware wasn't supported anymore (or crap to begin with).
Often because the cheap devices were either all I could afford or because I've even gotten them for free or basically free, like on flea markets.
Not downplaying the risks, but could a vulnerability on a d-link router really let you monitor traffic on the device in a practical sense (as mentioned in the video)? Assuming it is non-SSL is there enough computing power to even do any meaningful monitoring and subsequent exfiltration? Or are the SOCs used on them powerful enough these days.
The major worry for these devices for me is someone using my network connection for nefarious uses. I suspect many of the “get a residential IP for your crawler” services actually use hacked IOT devices.
the basic gist is in the event of a cyberwar you could brick millions of peoples routers and their only natural solution would be to go to BestBuy to get a new one... which almost certainly is running a 4-5yr old linux/firmware version that is equally vulnerable. Of course this requires some remote access or lateral entry from other systems on the network, but it's an interesting thought experiment regardless.
> the basic gist is in the event of a cyberwar you could brick millions of peoples routers [...] but it's an interesting thought experiment regardless.
I think this is already way past "thought experiment". In the day of the 2022 invasion of Ukraine by Russia, thousands of satellite modems were deliberately bricked.
The lack of major cyber wins in the invasion of Ukraine is still very surprising though. Maybe holding their cards for something big (something they didn't expect to win in "3 days"), or US really helped prepare Ukraine, or it's harder than it sounds :)
(several other RCEs require login first, and I could not find an associated login vulnerability. Additionally there are several buffer overflows that theoretically could become an RCE)
Yeah, this doesn't surprise me one bit. The number of vulns that get patched in home routers is staggering (D-Link is particularly shit-tier and known for this.) If there's that many vulns being fixed then imagine the backlog of unfixed vulns... Then imagine how many legitimate issues have to be hand-waved away because engineers know there's no way in hell they'll ever get the time to fix them. And have to prioritize the worst problems.
It kind of surprises me that you can just release a commercial product that is dangerous, make tons of money from it, then totally refuse to fix any problems with it. These devices are going to sit on innocent peoples networks who deserve to have privacy and security like anyone else. It's not outside the realm of possibly that an owned device leads to crypto extortion which leads to a business going under. Or maybe someone's intimate pics get stolen and that person then... yeah. Security has a human cost when its done badly.
I mean... yes? "we no longer support these" devices were hit with critical vulnerabilities, and that'll never get patched, just like any other device that hit EOL.
You knew your device was no longer supported and would no longer receive security updates, "someone found an exploit" is kind of a given, and "d-link won't patch it" equally so?
> You knew your device was no longer supported and would no longer receive security updates
I'm less confident that this is true. I think I know what the EOL is for all my networking equipment[0], you probably know the EOLs on your networking equipment, but I would wager that a majority of the population very understandably regards these things as appliances that you buy, plug in, and then it works indefinitely, and they do not in fact have any clue when the vendor will decide to stop providing security patches for it.
[0] Actually, now that I think about it no I don't; I was thinking of the core bits that I control, but the edge of my network is an ISP-provided box that I know essentially nothing about. Given that I don't manage it, I hope my ISP will send me a new one when it hits EOL but I don't know that.
you are on HN so this makes sense to you. imagine your car was hacked while driving your family in the middle of the desert and bricked. as an adult that bought the car is this your responsibility that you endangered your family’s well-being?
A legally binding as well as moral yes. If you drive a 2000
pound death machine, know how it can kill you. The idea that you are somehow not culpable in the situation you've given is baffling. Of course you are.
Yeah, the only thing that might make D-Link's position here unreasonable is how long ago the devices hit EOL. Like if it was last week then they are being a bit petty if they don't issue a patch, but on the other hand if it was 10 years ago it is ridiculous to expect them to patch it. I couldn't find that info in the linked article (probably it's somewhere in between the two extremes I mentioned), but without knowing that context I can't really fault a vendor for saying "EOL means EOL, sorry".
> if it was 10 years ago it is ridiculous to expect them to patch it
I don't think even that is "ridiculous". It came out of the factory defective. This isn't about features or maintenance. How many years total would that be since last sale, still less than 15?
Why do you think there is such a thing as 'D-Link haters'?
I don't hate D-Link (I don't care about them anywhere near enough to bother), but I think there's enough of a history of poor security practices to avoid their products...
Sure, but is EOL really a defense given the absolutely pathetic security posture that created this exploit in the first place? Is there a statute of limitations on mind boggling levels of incompetence?
I'd usually give the EOL argument some credit, but this exploit is not an accident, someone deliberately wrote an unauthenticated remote command execution as a feature, and it made it to production, and no one in this long chain of failures thought to themselves "gee, maybe we shouldn't do this"
Here's an article for those who'd rather read than watch someone's youtube video:
https://www.techradar.com/pro/security/d-link-says-it-wont-p...
Dlink has a long history of putting out insecure and even backdoored devices and so anyone with a dlink device is probably better off buying something different
Ok, we've changed to that from https://www.youtube.com/watch?v=52v6gKPA4TM above. Thanks!
Another 60,000 devices ripe for malicious entities to use in their botnet.
> Another 60,000 devices ripe for malicious entities to use in their botnet.
Right, my immediate reaction after reading the title was that D-Link might not patch their hardware, but others certainly will.
> Dlink has a long history of putting out insecure and even backdoored devices and so anyone with a dlink device is probably better off buying something different
Except for unmanaged switches. These little D-Link unmanaged switches are little workhorses: I've got several so old I don't remember when I bought them. I take it D-Link didn't manage to fuck up even unmanaged switch?
But seen their approach to security, I probably won't buy D-Link again.
I think they actually did manage to fuck up even the small unmanaged switches. I have three unmanaged switches at home, one on the ground floor and two in the first floor. Ground floor is an 8 port netgear, first floor are one to link and one d link.
Every couple of weeks, the entire wired network goes down. Not even pinging adresses works. The d links ports leds are all flashing (perfectly in sync!) until I power cycle it. Then everything goes back to normal.
I have no idea what happens, and I should probably replace the d link soon.
Are you aware about broadcast storms? Perhaps you somehow accidentally introduced a loop in the network? The symptoms fit that exactly. https://en.wikipedia.org/wiki/Broadcast_storm
STP is meant to prevent that. https://en.wikipedia.org/wiki/Spanning_Tree_Protocol
Of course you can't set up STP with unmanaged switches, so until you go managed and set up STP properly nothing will change.
I was not! Thanks for the hint!
Although I'm 100% sure there are no loops, I haven't changed the actual cable layout in ages.
Jumbo frames? https://en.m.wikipedia.org/wiki/Jumbo_frame
I haven't enabled jumbo frames knowingly on my system, but even if I had, why would the issue occur only every few weeks? Also, it seems to be rather independent of the actual network load.
I have a couple of TP-Link unmanaged 4 port SOHO switches. They're pretty reliable so far.
The TP Link (typo in my other post) and the Netgear are reliable, only the D Link causes issues.
DLink were for me one of the least reliable small unmanaged switches I tried over the years. Out of those I have had (I have about 7 in the house, they get replaced when one dies), there was DLink, Linksys, HP, Netgear and TP-Link, the TP-Links are by far the most reliable in so much as I have never had one die, and now all my switches are TP-Link as all of the others gave up the gost.
> I take it D-Link didn't manage to fuck up even unmanaged switch?
I'd hope not. I haven't seen it yet at least.
If anyone is looking for alternatives as far as long term supported products go... I've had nothing but good experiences with Ubiquiti (Unifi) and OpenWRT. At the lower end of the price spectrum, OpenWRT supported devices can be an incredible value, and most will probably remain supported for decades to come.
More broadly, it's not just about the support commitment but also about the company's reputation for shipping solid software. i.e. what is the prior on a scenario like this after the product goes EOL.
Regarding supporting devices long-term, I can still get current version official OpenWrt for the Netgear WNDR3700v2, which I think is about 15 years old at this point.
https://firmware-selector.openwrt.org/?version=23.05.5&targe...
https://openwrt.org/toh/netgear/wndr3700
I always try to find out what's one of the best-supported OpenWrt routers at the time I'm shopping. And can I get one (or a few) of them on eBay at great prices.
WRT54-GL, WNDR3700(v2,v4) and WNDR3800, Netgear R7800.
I also have an OPNsense box that I'm evaluating. But, since OPNsense (FreeBSD) isn't strong on WiFi, I'd need to pair it with separate WiFi APs (running OpenWrt). I'm not liking the extra complexity, when an OpenWrt R7800 still does everything I really need right now.
> At the lower end of the price spectrum, OpenWRT supported devices [...] will probably remain supported for decades to come.
Not really. Each newer OpenWRT release needs slightly more storage and memory than the previous one, and these devices at the lower end of the price spectrum tend to have as little storage and memory as they can get away with. Older devices with as little as 4 MB of storage and/or 32 MB of memory are already unable to run current OpenWRT releases, and devices with 8 MB of storage and/or 64 MB of memory are already on the way out. But yeah, other than that OpenWRT does tend to support devices way past their original EOL.
Counterpoint: The original "Google Wi-Fi" Mesh routers (the hockey puck looking ones) from about 10~ years ago come with *4GB* of storage and 512MB of RAM [1]
[1] https://openwrt.org/toh/google/wifi
They're about $30-$50 USD for a 3 pack on eBay
It's not just those. The 16 MB storage/128 MB flash recommended minimums are a non-issue for pretty much any remotely popular router in the 802.11ac wifi era, and I doubt OpenWRT will suddenly explode in size and blow past those limits any time soon (just look at its trajectory over the past decade).
Why did Google spec them so heavy?
The storage is eMMC, basically the cheapest thing available once you've committed. You'd have to actively try to buy eMMC smaller than 2-4GB. Same for the RAM, that's a single chip. It's not a heavy spec, just somewhere near the bottom of the cost curve for those particular parts.
They probably used similar parts in another product and threw them into the routers for the additional order volume, known bring-up risk, and dev benefits. The pixel series also uses Samsung eMMC, iirc.
They probably budgeted a dollar for storage and a dollar for ram, or close to it.
Sometimes it's nice to be able to run a normal OS.
I disagree with your sentiment. I think the routers openwrt has dropped support for are super low spec, like $20. And they still run older versions of openwrt.
You could probably also just run openwrt with out a gui and probably do fine.
Additionally, I like that openwrt works on higher end boxes now, like the zyxel gs1900 12, 24 and 48-port switches.
Note that the limit only applies to base OpenWRT installation. I have successfully configured my ancient router to boot from the router's USB storage (64gig flash drive)
OpenBSD also works great for such things.
Anyone have any OPNSense budget hardware recommendations?
What performance are you looking for alternatively what's you (power) budget?
Just to clarify, OPNsense is based on FreeBSD[0], not OpenBSD. But OpenBSD does indeed make a good router/firewall OS as mentioned by GP. :)
[0] https://opnsense.org/about/about-opnsense/
N100 is an excellent chip to go for. I'm currently using a aliexpress special with a celeron n5105 chipset in it.. it works fine as well, but I'd opt for the N100 next time if I had to replace it.
Celeron N5105
CPU: Intel Jasper Lake Celeron Processor N5105, 4 core 4 threads,64 bit, 10nm, 2.0GHz up to 2.9GHz, 4M cache
GPU: Intel UHD Graphics GPU, 24EU, 450MHz up to 800MHz
vs
Alder Lake N100
CPU: Intel Alder Lake Processor N100, 4 core 4 threads,64 bit, 10nm, Up to 3.4GHz, 6M cache
GPU: Intel UHD Graphics GPU, 24EU, Up to 750MHz
I bought a N100 model to run as my backup server (PBS etc) and its a cracker. Debian is so snappy on it.
Also running OPNSense (in a VM) on an N5105 from an AliExpress mini box, with four Ethernet ports. Thing gets hot though, passively cooled, but I put a fan on top of it.
Also runs another VM with some lightweight docker containers. Reliable little thing.
Would also go N100 if needed replacement.
I think OpenWRT is the right approach at this point. Open source really excels where there is a 'commons.' We all have a shared interest in secure networks. Commercialized gate keeping of router firmware doesn't make sense. These manufactures should just switch to OpenWRT and skin it.
> These manufactures should just switch to OpenWRT and skin it.
Take a look at Teltonika, that's basically what they do, but with nice over-provisioned hardware. Comes with the "industrial" price tag, but theirs is the most rock solid network gear I've ever used, and you actually receive frequent router and modem firmware updates.
I have one of their RUTX50 (5G LTE modem/router) at home and get about ~550 Mbit's through it, best internet I've ever had. I've never been forced to reboot it. I tried some consumer 5G modems before that and they were a total waste of money. I've also used their non LTE gear elsewhere and it's the same pleasant experience, and naturally highly configurable due to OpenWRT without having to hack around.
opnsense also has hardware options.
Look I am just being grumpy about this and I know it has nothing really substantive to do with the underlying story, which is D-Link EOL'ing products, but: there is really no such thing as a "9.8" or "9.2" vulnerability; there is more actual science in Pitchfork's 0.0-10.0 scale than there is in CVSS.
What is this Pitchfork scale? Is it an actual one, searching didn't return any useful results.
It's a music review site.
Or well… if you have one of these models, this is the way.
https://openwrt.org/toh/d-link/start
I didn't find most of the affected models there, and for these which I did, pages are full of warnings like that OpenWrt support is obsolete since 2022 and/or that 4 MB of flash and 32 MB of RAM is not enough to do anything useful
Background on the underlying context of the bug: https://www.youtube.com/watch?v=-vpGswuYVg8 -- It's objectively unforgivable.
TL;DW:
Call GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27
account_mgr.cgi is safe, it takes web parameters "name", "pw" and calls the equivalent of
"account" was written by the intern and runsNever mind the actual mistake "the intern" made.
Not only was "the intern" tapped to write code that accepts user input from HTTP and also use system administration shell commands - and use C to do raw string handling, for that matter; who knows if `buf` is properly allocated? - but there was either no review/oversight or nobody saw the problem. Plus there are two layers of invoking a new program where surely one would suffice; and it's obviously done in a different way each time. Even programmers who have never used Linux and know nothing about its shells or core utilities, should be raising an eyebrow at that.
Meanwhile, people want to use AI to generate boilerplate so that their own company's "the intern" can feel like a "10x developer" (or managers can delude themselves that they found one).
That’s insane.
Wasteful choice enabled by not being entirely responsible for pollution, energy consumption and trash. If they had to pay for environmental full restoration, energy at full cost and careful disposal of unsuitable hardware decision would have been different.
To be fair, CVE scores generally don't seem very useful in assessing the real impact of a security vulnerability. The CUPS thing was a 9.9 and that was completely irrelevant for a large swath of people.
Same as the NPM warnings. It’s always screaming that there are a billion super critical vulnerabilities, but when I look in to them it ends up being stuff like “if you put a malicious regex in to your own config file, your js linter will get stuck”
I'm pretty sure a 9.8 CVE for something connected directly to WAN is a very bad thing.
The point is that the title puts the number up there to sensationalize. It doesn't concretely explain the scope or magnitude of the vulnerability.
The 9.8 CVE was for their NAS. Exposing any NAS directly to the open Internet is a Bad Idea.
For that matter, nearly every shit-tier NAS vendor (WD, QNAP) has had some critical remote vulnerability in recent years. Some were notable for mass data loss incidents.
That aside, these companies are all very good at making very, very nice hardware at a price point consumers can afford. Some corners have to be cut and it's often software.
The dirty secret is many Internet of Shit device vendors outsource the software development, often to the lowest bidder in some offshore sweatshop. In some cases it's just a repackage of an ODM design from some no-name company in Shenzhen.
None of which are known for secure coding or good software practices.
Criticize all you want but this is a textbook example of getting what you paid for.
It's unreasonable to pay $100 for a D-Link box and expect it's Cisco ASA quality with free indefinite support.
Cisco, Juniper, and Palo Alto would all tell you to pound sand if you expect support after EOL or if you let your maintenance contract (aka protection racket) lapse.
This is a command injection through a basic GET giving instant root access. Definitely worth a high score. These days I'm pretty sure browsers won't let you put a private IP in an <img> URL anymore but for the past 10-13 years there have definitely been browsers where visiting a web page is all you needed to do to get your NAS hooked up to a botnet.
The problem is the way those specifics are handled. The Complexity metric is intended to handle the "specific configuration required" scenario but nobody is really incentivized to properly score their stuff.
Most "Critical" thing is: you buy a new router that is not from Duh-Link.
It's a shame that MikroTik routers' UI is completely unsuitable for non-powerusers.
Otherwise they would be perfect. Cheap and supported practically forever. Their trick seems to be that they use a single firmware image for all routers with the same CPU architecture.
They've been trying lately though, you can supposedly set one up for a basic pppoe and dhcp scenario using the Mikrotik phone app and they have a Back To Home wireguard VPN setup app
I dunno its pretty basic. It has lots of options but users only need to be guided to quick setup or a few other places.
There is https://play.google.com/store/apps/details?id=com.mikrotik.a... official Home user app
And the default page on routers ip is https://help.mikrotik.com/docs/spaces/ROS/pages/328060/Quick...
Can't there be a law that says something like "you can't release new hardware while you have unpatched older hardware still in use"? Recall or update your stuff first, release new things second.
The European Union has the Cyber Resilience Act, which will most likely become effective / mandatory by the end of 2027.
https://en.m.wikipedia.org/wiki/Cyber_Resilience_Act
Skimming the regulation text, it seems it requires the manufacturer of a connected device to report on and quickly fix vulnerabilities within the device's "support period". The support period for device classes still has to be determined, but it seems it is a vital requirement for a device to get a CE certification (without which it otherwise is not allowed to be put on the EU market).
These devices were produced back on 2011 I believe. Even with the CRA, I don't think much would change. A decade is definitely the high end of reasonable required software support for cheap budget NASes in my opinion. Of course stores would be forced to stop selling any remaining stock of them, but I doubt that's much of a problem, really.
simpler. Just open up the firmware when EOL. So a 3rd party can patch it.
Stop e-waste and planned obsolcence.
If you fear loosing sales on new HW, make it significantly better.
Yes, that would be better. I have a drawer full of old iPhone and Mac devices that are practically blobs of ewaste because their OS doesn't update.
It would be nice.
Though, as a life-long Android user, I've been jealously looking at how long apple have actually been supporting their iPhones (at least since the iPhone 6) and I'm seriously considering switching.
The 6S, 7, 8 all got feature updates for 7 years, and are still getting security updates after 9 years. The iPhone XS is still getting feature updates after 6 years. On Android, you are lucky to get 3 years of feature updates and 5 years of security updates.
Google do seem to be improving here, with 7 years of support for Pixel 8 and 9, and 5 years for Pixel 6 and 7. Earlier models got 3 years which was barely acceptable.
How would that be defined? What about low CVEs? Does that mean a company cant release a keyboard while theres unpatched network switches? What about devices that are hybrid like no releasing DSL modems but what if it has an integrated switch? Does that mean no switches too? Whos going to enforce this? I cant see a way this would't be turned into a "game the system" and wouldn't solve the unpatched product problem at all.
One of the reasons why there are major security f-ups: no accountability and no consequences
Related:
D-Link tells users to trash old VPN routers over bug too dangerous to identify
https://news.ycombinator.com/item?id=42201639
I remember this happened before, and someone smarter than me exploited the vulnerability to access every router and patch it remotely.
how about this: you can only abandon hardware if you enable open firmware on it.
Just opensource the firmware and redirect the update url.
That doesn't set a good precedent though. The community shouldn't be expected to carry every IoT device.
Maybe not, but it'd be nice to have the option. Wouldn't it?
If you as a user want third-party firmware usually you can jailbreak and install it yourself (especially if the original firmware has zero security). If we allow a vendor to choose to make "the community" responsible for their firmware, almost every vendor will choose that as quickly as possible (e.g. one year).
That's why in sane countries there is jurisdiction to deal with that.
If you leave capitalism unchecked it will fuck you as hard as any other system.
D-Link says buy a new router after vulnerability emerges after the signposted end of support date.
Having experienced D-link products first hand I’d say that anyone with a D-link product should buy something else anyway.
Something that supports OpenWRT.
I don’t think there’s much overlap between “people who run OpenWRT” and “people who use EOL D-Link routers”
Wouldn't the overlap between “people who run OpenWRT” and “people who use EOL D-Link routers” be "people who run OpenWRT on EOL D-Link routers"? The table of supported hardware at the OpenWRT site lists several D-Link models which can run the latest OpenWRT release, and several of them are marked as "discontinued" (that is, no longer sold), a few of them even being in that status for more than five years.
I don't know, I've installed openwrt on each device I've owned especially because their original firmware wasn't supported anymore (or crap to begin with).
Often because the cheap devices were either all I could afford or because I've even gotten them for free or basically free, like on flea markets.
„Just buy a new modem“ they say … sure won’t be a D-Link ever again.
I could see them facing criminal liability here. Someone is having hard conversations with their insurance company.
Not downplaying the risks, but could a vulnerability on a d-link router really let you monitor traffic on the device in a practical sense (as mentioned in the video)? Assuming it is non-SSL is there enough computing power to even do any meaningful monitoring and subsequent exfiltration? Or are the SOCs used on them powerful enough these days.
It’s powerful enough to mitm traffic if you get someone to install a certificate, and it can easily pass packets where ever the attacker wants.
True I was thinking of packet analysis being intensive but simpler MITM/splitting it outbound makes senses.
Ransomware and bricking would probably be the primary risk though. And security cams, NAS, printers, etc.
The major worry for these devices for me is someone using my network connection for nefarious uses. I suspect many of the “get a residential IP for your crawler” services actually use hacked IOT devices.
This is also true of every intermediate router between you and the destination.
TLS would not need to exist otherwise.
Most intermediate routers don't have easily exploitable holes allowing attackers to take them over to MITM traffic though...
I thought most internet routers in the US at least were pwned by the NSA. :D
Reminds me of a Dan Greer talk he gave at NSA from 2014 http://geer.tinho.net/geer.nsa.26iii14.txt
the basic gist is in the event of a cyberwar you could brick millions of peoples routers and their only natural solution would be to go to BestBuy to get a new one... which almost certainly is running a 4-5yr old linux/firmware version that is equally vulnerable. Of course this requires some remote access or lateral entry from other systems on the network, but it's an interesting thought experiment regardless.
> the basic gist is in the event of a cyberwar you could brick millions of peoples routers [...] but it's an interesting thought experiment regardless.
I think this is already way past "thought experiment". In the day of the 2022 invasion of Ukraine by Russia, thousands of satellite modems were deliberately bricked.
and https://en.wikipedia.org/wiki/VPNFilter
The lack of major cyber wins in the invasion of Ukraine is still very surprising though. Maybe holding their cards for something big (something they didn't expect to win in "3 days"), or US really helped prepare Ukraine, or it's harder than it sounds :)
Yes they do. It's called BGP.
Discussion around this seems very confused; there are quite a few severe vulnerabilities this year in various products (routers and NASes).
https://nvd.nist.gov/vuln/detail/CVE-2024-3273 https://supportannouncement.us.dlink.com/security/publicatio... (April 4) affects NASes (DNS-* products, same as one of the November vulnerabilities), no fix, official recommendation "buy a new one".
https://nvd.nist.gov/vuln/detail/CVE-2024-45694 https://supportannouncement.us.dlink.com/security/publicatio... (September 16) affects routers (DIR-* products), fix by upgrading frimware
https://nvd.nist.gov/vuln/detail/CVE-2024-10914 https://supportannouncement.us.dlink.com/security/publicatio... (November 6) affects NASes (DNS-* products), no fix, official recommendation "buy a new one" (despite not selling NASes anymore?).
CVE-2024-10915 looks to be identical to CVE-2024-10914 at a glance
https://nvd.nist.gov/vuln/detail/CVE-2024-11066 https://supportannouncement.us.dlink.com/security/publicatio... (November 11) affects routers (DSL* products), no fix, official recommendation "buy a new one". Note that you need to look at multiple CVEs to get the full picture here.
(no CVE?) https://supportannouncement.us.dlink.com/security/publicatio... (November 18) affects routers (DSR-* products), no fix, official recommendation "buy a new one".
(several other RCEs require login first, and I could not find an associated login vulnerability. Additionally there are several buffer overflows that theoretically could become an RCE)
Huh I recently retired all my Dlink routers as soon as they stopped getting security updates, lucky me.
Yeah, this doesn't surprise me one bit. The number of vulns that get patched in home routers is staggering (D-Link is particularly shit-tier and known for this.) If there's that many vulns being fixed then imagine the backlog of unfixed vulns... Then imagine how many legitimate issues have to be hand-waved away because engineers know there's no way in hell they'll ever get the time to fix them. And have to prioritize the worst problems.
It kind of surprises me that you can just release a commercial product that is dangerous, make tons of money from it, then totally refuse to fix any problems with it. These devices are going to sit on innocent peoples networks who deserve to have privacy and security like anyone else. It's not outside the realm of possibly that an owned device leads to crypto extortion which leads to a business going under. Or maybe someone's intimate pics get stolen and that person then... yeah. Security has a human cost when its done badly.
I mean... yes? "we no longer support these" devices were hit with critical vulnerabilities, and that'll never get patched, just like any other device that hit EOL.
You knew your device was no longer supported and would no longer receive security updates, "someone found an exploit" is kind of a given, and "d-link won't patch it" equally so?
> You knew your device was no longer supported and would no longer receive security updates
I'm less confident that this is true. I think I know what the EOL is for all my networking equipment[0], you probably know the EOLs on your networking equipment, but I would wager that a majority of the population very understandably regards these things as appliances that you buy, plug in, and then it works indefinitely, and they do not in fact have any clue when the vendor will decide to stop providing security patches for it.
[0] Actually, now that I think about it no I don't; I was thinking of the core bits that I control, but the edge of my network is an ISP-provided box that I know essentially nothing about. Given that I don't manage it, I hope my ISP will send me a new one when it hits EOL but I don't know that.
As an adult paying for your ISP service: you have some responsibility here. Whether you want that responsibility or not.
you are on HN so this makes sense to you. imagine your car was hacked while driving your family in the middle of the desert and bricked. as an adult that bought the car is this your responsibility that you endangered your family’s well-being?
A legally binding as well as moral yes. If you drive a 2000 pound death machine, know how it can kill you. The idea that you are somehow not culpable in the situation you've given is baffling. Of course you are.
Yeah, the only thing that might make D-Link's position here unreasonable is how long ago the devices hit EOL. Like if it was last week then they are being a bit petty if they don't issue a patch, but on the other hand if it was 10 years ago it is ridiculous to expect them to patch it. I couldn't find that info in the linked article (probably it's somewhere in between the two extremes I mentioned), but without knowing that context I can't really fault a vendor for saying "EOL means EOL, sorry".
> if it was 10 years ago it is ridiculous to expect them to patch it
I don't think even that is "ridiculous". It came out of the factory defective. This isn't about features or maintenance. How many years total would that be since last sale, still less than 15?
Also, how many hundreds of dollars would it really cost them to release an update, even if it was 15 years old?
I cannot identify who the aggrieved parties are, aside from bandwagoning D-Link haters.
These devices are end of life. Anyone running an EOL device doesn't care about security and probably wouldn't update the firmware if it was available.
For comparison, Apple does not update EOL devices outside exceptional circumstances. I never received a 20% discount to upgrade.
Why do you think there is such a thing as 'D-Link haters'?
I don't hate D-Link (I don't care about them anywhere near enough to bother), but I think there's enough of a history of poor security practices to avoid their products...
Sure, but is EOL really a defense given the absolutely pathetic security posture that created this exploit in the first place? Is there a statute of limitations on mind boggling levels of incompetence?
I'd usually give the EOL argument some credit, but this exploit is not an accident, someone deliberately wrote an unauthenticated remote command execution as a feature, and it made it to production, and no one in this long chain of failures thought to themselves "gee, maybe we shouldn't do this"
We could have passed a law requiring minimum security standards but we didn't. The result was predictable and here it is.
How long should a consumer expect their modem to last? How long ago were they last being sold at retailers?
Wait, has Apple ever exposed an end-point like this?
Do we know how they'd react if they ever did?