D-Link Won't Fix Critical Flaw Affecting 60,000 Older NAS Devices
- Reference: 0175452183
- News link: https://it.slashdot.org/story/24/11/11/2158210/d-link-wont-fix-critical-flaw-affecting-60000-older-nas-devices
- Source link:
> The flaw impacts multiple models of D-Link network-attached storage (NAS) devices that are commonly used by small businesses: DNS-320 Version 1.00; DNS-320LW Version 1.01.0914.2012; DNS-325 Version 1.01, Version 1.02; and DNS-340L Version 1.08. [...] A search that Netsecfish conducted on the FOFA platform returned 61,147 results at 41,097 unique IP addresses for D-Link devices vulnerable to CVE-2024-10914.
>
> In a [2]security bulletin today, D-Link has confirmed that a fix for CVE-2024-10914 is not coming and the vendor recommends that users retire vulnerable products. If that is not possible at the moment, users should at least isolate them from the public internet or place them under stricter access conditions. The same researcher discovered in April this year an arbitrary command injection and hardcoded backdoor flaw, tracked as CVE-2024-3273, impacting mostly the same D-Link NAS models as the latest flaw.
[1] https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-flaw-affecting-60-000-older-nas-devices/
[2] http://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10413
Proprietary firmware is evil (Score:4, Interesting)
Vendors should be forced to fully open-source proprietary firmware when they are no longer willing to provide security updates.
Re: (Score:2)
It's almost certainly based on linux. Nothing is stopping anyone or group from rolling their own distro for these devices. People did it for the Linksys WRT router series.
Re: (Score:2)
It's not that easy, you can't just stick Linux on it, you need to know virtually everything about the boot loader, memory layout, and chipsets used in order to cobble together a custom image to can run on the thing. This guy (mostly) did it for the DNS-320, but it's not something people who don't know C, UBoot, or Linux internals is going to be able to pull off without bricking their NAS:
[1]https://hackaday.io/project/17... [hackaday.io]
A possible solution is for vendors to open source as much of the last viable version of
[1] https://hackaday.io/project/179084-rebuilding-the-linux-for-dns-320l-nas/details
Your commentary projects your ignorance. (Score:2)
> Nothing is stopping anyone or group from rolling their own distro for these devices.
Things that stop people from making their own firmware:
* signed firmware
* proprietary drivers
* using chips that hide datasheets behind NDAs
> People did it for the Linksys WRT router series.
What about the 99% of routers that they were completely abandoned?
With service like that...walk away (Score:3)
If I knew that D-Link would treat their stuff as so much disposable crap I would never buy it in the first place.
This is an example of a company providing a negative value proposition.
This is yet another example of why I build my own NAS devices, servers, firewalls and routers using open source software.
Proprietary software lock-in makes you a slave to commercial whims and renders your hardware items ticking time bombs.
Re: (Score:3)
D-Link has always been disposable crap. They aim for the market that treats all their tech devices as disposable crap.
Carrots and Sticks (Score:4, Interesting)
Reward vendors who support their products. Punish those who don't.
I will never buy a D-Link product again. Of any type. For any purpose. Not even for consulting clients. Because of this.
I also won't buy Sony products. Because Geohotz.
The list is larger than this but you are welcome to join me. If someone says "Hey this D-Link switch is cheaper" just tell them how D-Link treats you AFTER you give them your money... and eventually this will trickle down to lower quarterly earnings, less enjoyable sharholder 10Q reports, and they may get the message.
Re: (Score:2)
Not really sure how that's supposed to work. You said you will never buy from them again. I am guessing even if they do something 'good' tomorrow, you will not end your boycott?
In that case, then there is really no useful message being sent here. They've lost you as a customer, and you'll never go back, right?So what happens exactly when they "get the message"?
They change? What would that accomplish? The market forgives them all of the sudden and sales shoot back up? Either you stick to your boycott and th
Meh, I stopped using D-Link ages ago (Score:2)
Of course, I'm only one data-point, so consider that.
Nevertheless, my experience with a D-Link switch for a home network left me permanently disillusioned. I could not get the thing to perform as advertised, bandwidth-wise. I switched to other brands and never looked back.
While it doesn't help most users (Score:2)
there is fully open source replacement firmware available for these systems. I'v been running it on my d-link NAS since 2012.
seems reasonable (Score:2)
These devices were all end of life between 4 and 7 years ago. Seems a pretty reasonable response to say "don't put this shit on the internet or decommission it"
Install Alt-F on your devices (Score:2)
You can get the Alt-F firmware from sourceforge. As a plus it allows you to use larger capacity hard drives on these old NAS devices, and can use SMB 2.0 instead of 1.0. I have a 320 and three x 323 and it's given them a new lease on life.
They are way passed End of Life (Score:2)
[1]https://supportannouncement.us... [dlink.com]
Model End of Service Life
DNS-320 12/01/2018
DNS-320LW 05/31/2020
DNS-325 09/01/2017
DNS-340L 07/31/2019
[1] https://supportannouncement.us.dlink.com/security/publication.aspx?name=sap10383
What I would not give (Score:2)
To be able to sue the bastards for this type of shit.
It's one thing to commit innocent mistakes even semi-negligent mistakes that result in security problems. It is a whole other level of sleaziness for a company to intentionally sit on its ass and refuse to take responsibility and address safety defects in its own products.
Re:What I would not give (Score:4, Interesting)
Does it make a difference that the company no longer produces NAS devices, and that these in particular have already reached their End of Life?
How long is a manufacturer required to spend money to fix bugs in old devices that they no longer sell and that are already outside of their stated support period, in order to be "ok" in your book?
Re: (Score:2)
How long is a manufacturer required to spend money to fix bugs in old devices that they no longer sell and that are already outside of their stated support period, in order to be "ok" in your book?
As long as tens of thousands remain in active use? The bugs are a defect, it is not a favor.
Re: (Score:2)
> How long is a manufacturer required to spend money to fix bugs in old devices that they no longer sell and that are already outside of their stated support period, in order to be "ok" in your book?
> As long as tens of thousands remain in active use? The bugs are a defect, it is not a favor.
So you might be in favor of the manufacturer of such devices implementing an unremovable "call home to maker" feature (that sends all sorts of data, right?) so the manufacturer can keep a running count on how many devices (along with what hardware models, what patch levels, and so on) are still up & working out in the field?
Otherwise, how would you propose a manufacturer to maintain such an awareness? Ask the customer to contact them from time to time?
Re: (Score:2)
Whatever time is disclosed on the front label at the time of sale seems OK to me.
If Ford gets out of the truck business one day they shouldn't stop making truck parts and leave everybody high and dry.
At first glance this seems like a $10K fix.
What should the trade be for corporate liability shield from the government?
Re: (Score:1)
D-link didn't even support these for 5 years, which is pretty shite. In general thou I would say the manufacturer is morally obligated to provide security fixes until the day they open source the firmware.
Re: (Score:2)
End of life isn't decided by the manufacturer, it's a user decision.
End of sale is different. So is end of support.
However serious security vulnerabilities need to be addressed. But anyone that connects devices directly to the internet without a firewall or a firewall opening to the device isn't security aware. Anyone that leaves UPnP is not security aware since that allows any random device to poke holes through your firewall.