Here’s Yet Another D-Link RCE That Won’t be Fixed
2024-11-22 01:33:40 Author: securityboulevard.com(查看原文) 阅读量:5 收藏

A D-Link DSR-250N, which is now EOLStubborn network device maker digs in heels and tells you to buy  new  gear.

D-Link is once again under fire for not patching critical vulns. As with last week’s D-Link débâcle, the firm’s digging in its heels because the devices are a few months past their arbitrary end-of-life date (EOL).

This week, it’s a buffer overflow in six router products. In today’s SB  Blogwatch, we wonder what next week’s will be.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Science!

D-Licious

What’s the craic? Bill Toulas reports: D-Link urges users to retire VPN routers impacted by unfixed RCE flaw

Critical flaws
The vulnerability … impacts all hardware and firmware revisions of DSR-150 and DSR-150N, and also DSR-250 and DSR-250N from firmware 3.13 to 3.17B901C. These VPN routers, popular in home office and small business settings, … reached their end of service on May 1.

D-Link has made it clear … they will not be releasing a security update. [It is] the networking hardware vendor’s strategy not to make exceptions for EoL devices when critical flaws are discovered, no matter how many people are still using these devices.

What are we supposed to do about it? Sead Fadilpašić has more: D-Link is telling users to stop using these routers immediately, or face hacking

Criminals will try to compromise
D-Link said that both hardware and firmware for these devices have expired, and workarounds are not recommended. … Instead, it urged users to retire the affected devices and replace them with newer, supported models.

Once word gets out, cybercriminals will definitely start scanning for vulnerable routers. … Being the gateways of all internet traffic on a local network, [they] are usually the first thing criminals will try to compromise in their attacks. End-of-life devices with known critical vulnerabilities, especially RCE, are considered low hanging fruit.

Horse’s mouth? Please Retire and Replace – Reported Security Vulnerabilities:

Recommends that this product be retired
This exploit affects this legacy D-Link router and all hardware revisions, which have reached their End of Life (“EOL”)/End of Service Life (“EOS”) Life-Cycle. Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link. … When products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease.

D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it. … If you are an owner of a D-Link Model listed below and live in the US, D-Link will offer you a new DSR-250v2 … for 20% off. … Affected Models: DSR-150, DSR-150N, DSR-250, DSR-250N, DSR-500N, DSR-1000N.

Less PR flim-flam, please. Mentat74 translates for us:

“Our old products are **** and full of security holes that we won’t patch. Please buy our new products!”

Also: … How convenient that this particular bug has been discovered so soon [after] EOL.

D-Link doesn’t look so good. NewtonsLaw seconds the motion: [You’re fired—Ed.]

Seriously? … D-Link just signed its own death-warrant.

Who in their right mind would buy or use any product bearing the D-Link brand if this is the way they deal with flaws in their products that compromise the security and integrity of users’ systems? What are they smoking?

Be vewwy, vewwy qwiet! elmerfud’s huntin’ wegulation:

This is where I wish governments would step in and stop allowing companies to make appliances that are throw away. I understand that a company can only viably support or offer warranty for a limited time period but that should not cause something to become trash when [EOL].

The right to repair movement focuses mostly on the actual repair of the item but when so many of these items are using microcontrollers that are running software code, … the right to repair the hardware itself is insufficient. The United States is too dumb and too controlled by businesses to pass any meaningful legislation but I would hope that the EU would step up and pass legislation that says when you EOL a product … running software code, you must also open source [it] along with all appropriate tooling. … This way the community can continue to repair these devices.

One other thing that should be considered is that, even though this is an end of life product, this was a defect that existed from the beginning of the life of this product. Therefore this was defective the entire time—it just wasn’t discovered until now. This is another area a legislators need to step in and correct. Automobiles have no time limit on a safety recall. … It doesn’t matter if it took 15 years to be discovered, … the manufacturer is required to correct it.

But is anyone paying attention? MoMonies thinks not:

Chances are that any business that is still using this is completely unaware that they have [one] and that it is now extremely vulnerable.

However, bill001g doesn’t agree:

They are basically e-waste. Who is really going to be running a router with 100mbps ports nowadays? Commercial equipment is generally replaced long before it hits end of life.

Meanwhile, where does the company get its name? Mitoo Bobsworth has often wondered that:

D for Dud? I often wondered what it stood for.

And Finally:

Don’t try this at home, kids

Hat tip: Tom Scott

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Recent Articles By Author


文章来源: https://securityboulevard.com/2024/11/d-link-router-critical-rce-sol-richixbw/
如有侵权请联系:admin#unsafe.sh