News: 1732113126

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

D-Link tells users to trash old VPN routers over bug too dangerous to identify

(2024/11/20)


Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability.

Most of the details about the bug are being kept under wraps given the potential for wide exploitation. The vendor hasn't assigned it a CVE identifier or really said much about it at all other than that it's a buffer overflow bug that leads to unauthenticated RCE.

Unauthenticated RCE issues are essentially as bad as vulnerabilities get, and D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk.

[1]

Previous bugs in similar products from other vendors have carried warnings that attackers could exploit them to install rootkits and use that persistent access to surveil an organization's web traffic, potentially stealing data such as credentials.

[2]

[3]

Adversary-in-the-middle attacks are possible too, and attackers could also feasibly pivot to other connected devices to deploy [4]ransomware , for example, although it should be said that D-Link hasn't explicitly said any of this could be possible in this case specifically. We only mention it to give a flavor of how seriously this issue should be taken. Vendors don't tend to issue retire-and-replace orders without good reason.

Apple confirms Intel Mac bug under active exploit

In other news, Apple released [5]patches for a pair of exploited zero-day bugs affecting older Intel Macs this week. Google's Threat Analysis Group (TAG) found that maliciously crafted web pages could in one case (CVE-2024-44308) lead to arbitrary code execution and a [6]cross-site scripting attack in another (CVE-2024-44309).

The vulnerabilities lie in Apple's [7]WebKit browser engine . On Macs, this means Safari users are affected, and given that exploits have been spotted on Intel-based versions, upgrading to macOS Sequoia 15.1.1 is highly advised.

WebKit not only powers Safari, but all browsers that run on iPadOS, iOS, and visionOS – [8]much to the dismay of the CMA . Chrome, Firefox, and others are all essentially reskinned Safaris here, meaning the WebKit issues affect all web browsers across all these non-Mac devices, so it appears Apple patched these for good measure too.

[9]China-linked group abuses Fortinet 0-day with post-exploit VPN-credential stealer

[10]Citrix gives its Platform a polish with enhanced management tools

[11]Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble

[12]Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit

Given that all the affected devices went end of life (EOL) and/or end of support (EOS) at various times – most in May 2024 but some as far back as 2015 – D-Link won't be issuing patches for any of them.

The vendor extended an olive branch to product owners in the form of a 20 percent discount on a new service router (DSR-250v2) that is not affected by the vulnerability. Affected devices (all hardware revisions) include:

DSR-150 (EOL May 2024)

DSR-150N (EOL May 2024)

DSR-250 (EOL May 2024)

DSR-250N (EOL May 2024)

DSR-500N (EOL September 2015)

DSR-1000N (EOL October 2015)

"Regardless of product type or US sales channel, D-Link's general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease," D-Link said in an [13]advisory .

"D-Link US is prohibited to provide support for these EOL/EOS products, if you are outside the US, please contact your regional D-Link office," it added. "If your device was provided by a licensed carrier (service provider) and firmware, please contact your carrier (service provider). Many devices on this list have available third-party open-firmware, D-Link does not support open-firmware which voids any warranty and is solely the responsibility of the device's owner."

In the meantime, product owners were also advised to regularly update each device's unique password used to access its web management pane, while also ensuring Wi-Fi encryption is enabled. ®

Get our [14]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zz4VsoV9VxBt4bCF0Gr38gAAAIY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zz4VsoV9VxBt4bCF0Gr38gAAAIY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zz4VsoV9VxBt4bCF0Gr38gAAAIY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://www.theregister.com/2024/11/19/suspected_phobos_admin/

[5] https://support.apple.com/en-us/121753

[6] https://www.theregister.com/2020/10/30/companies_house_xss_silliness/

[7] https://www.theregister.com/2023/09/28/vivaldi_browser_ios/

[8] https://www.theregister.com/2024/09/05/apple_safari_uk_cma/

[9] https://www.theregister.com/2024/11/19/china_brazenbamboo_fortinet_0day/

[10] https://www.theregister.com/2024/11/19/citrix_platform_updates/

[11] https://www.theregister.com/2024/11/18/vmware_vcenter_rce_exploited/

[12] https://www.theregister.com/2024/11/15/palo_alto_networks_firewall_zeroday/

[13] https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10415

[14] https://whitepapers.theregister.com/



D-Link does not support open-firmware which voids any warranty

rafff

But we already know that there is no warranty to void - other than that the SW is bad.

Our old products are crap and full of security holes that we won't patch...

Mentat74

Please buy our new products !

Yeah right... pull the other one...

Also :

"Given that all the affected devices went end of life (EOL) and/or end of support (EOS) at various times – most in May 2024"

How convenient that this particular bug has been discovered so soon...

Re: Our old products are crap and full of security holes that we won't patch...

ComputerSays_noAbsolutelyNo

Will planned insecurity be the new planned obsolence?

In the past, manufacturers had to tinker with the placement of temperature-sensitive components to ensure that the device dies its intended death after its intended lifetime.

Nowadays, they can just discover a 11 out of 10 CVE, which - very unfortunately - can not be patched.

Good luck

Sudosu

How many people in the general public buy one of these things and leave it plugged in until it dies?

If there are still 2015 devices floating around, the ones that EOL'd in 2024 will likely still be around in 2034.

Re: Good luck

Ball boy

I would imagine the vast majority of consumer-level users have never upgraded firmware in their routers/switches or similar devices. Most will be running whatever version was installed during manufacture unless the device is configured to auto-update or an upgrade was pushed by their ISP.

Be honest: most people will only ever change the batteries in a smoke alarm because the damn thing beeps. What chance having the same people routinely check their router's firmware?

Re: Good luck

heyrick

" routinely check their router's firmware "

It's not out of the realms of possibility to have the router check for itself.

That being said, a self-checking router is a hell of a lot more likely than there being any new firmware to install.

I have plenty of devices around with firmware in flash and claims that it can update itself. Well, the first step is to find some of these things even mentioned on the company's website. The second is to have anything that even remotely resembles firmware.

I think far too often, and maybe for routers too, companies buy in stuff from a Chinese manufacturer and slap their own logo and branding into the thing. They don't care about the firmware as, asides from some simple customisations, that's all they ever did. The manufacturer doesn't care as they've already offloaded the devices to some sucker, and, well, everybody is too busy promoting the latest bit of techno-tat to want to have anything to do with what's already been sold.

Is there no product liability at all?

Missing Semicolon

D-Link sold a product that was defective on the day it was made. The fact that the defect has taken years to find does not change that. There is this successfully-promoted idea that software "rots", and so there is no more liability for old software failing than there is for a mechanical product wearing out.

Never mind "discounts". The default position should be "refund" or "exchange".

Re: Is there no product liability at all?

Doctor Syntax

100% discount would be acceptable.

That's what she said.