{"id":2037237,"date":"2024-11-21T12:33:40","date_gmt":"2024-11-21T17:33:40","guid":{"rendered":"https:\/\/securityboulevard.com\/?p=2037237"},"modified":"2024-11-21T12:33:40","modified_gmt":"2024-11-21T17:33:40","slug":"d-link-router-critical-rce-sol-richixbw","status":"publish","type":"post","link":"https:\/\/securityboulevard.com\/2024\/11\/d-link-router-critical-rce-sol-richixbw\/","title":{"rendered":"Here\u2019s Yet Another D-Link RCE That Won\u2019t be Fixed"},"content":{"rendered":"
\"A<\/a>Stubborn network device maker digs in heels and tells you to buy\u202f\u202fnew\u202f\u202fgear.<\/strong><\/h5>\n

D-Link is once again<\/em> under fire for not patching critical vulns.<\/strong> As with last week\u2019s D-Link d\u00e9b\u00e2cle<\/a>, the firm\u2019s digging in its heels because the devices are a few months past their arbitrary end-of-life date (EOL).
\n
\nThis week, it\u2019s a buffer overflow in six router products.<\/strong> In today\u2019s SB\u202f\u202fBlogwatch<\/a>, we wonder what next week\u2019s will be.
\n
\nYour humble blog\u00adwatcher<\/a> curated these bloggy bits for your enter\u00adtain\u00adment. Not to mention:\u202f\u202fScience!<\/i>
\n<\/p>\n

D-Licious<\/h2>\n

What\u2019s the craic?<\/strong> Bill Toulas reports: D-Link urges users to retire VPN routers impacted by unfixed RCE flaw<\/a><\/p>\n

\u201cCritical flaws<\/tt>\u201d<\/strong>
\nThe vulnerability\u202f\u2026\u202fimpacts all hardware and firmware revisions of DSR-150 and DSR-150N, and also DSR-250 and DSR-250N from firmware 3.13 to 3.17B901C. These VPN routers, popular in home office and small business set\u00adt\u00adings,\u202f\u2026\u202freached their end of service on May 1.
\n\u2026
\nD-Link has made it clear\u202f\u2026\u202fthey will not be releasing a security update. [It is] the networking hardware vendor’s strategy not to make exceptions for EoL devices when critical flaws are discovered, no matter how many people are still using these devices.
\n<\/p>\n

What are we supposed to do about it?<\/strong> Sead Fadilpa\u0161i\u0107 has more: D-Link is telling users to stop using these routers immediately, or face hacking<\/a><\/p>\n

\u201cCriminals will try to compromise<\/tt>\u201d<\/strong>
\nD-Link said that both hardware and firmware for these devices have expired, and workarounds are not recommended. \u2026 Instead, it urged users to retire the affected devices and replace them with newer, supported models.
\n\u2026
\nOnce word gets out, cybercriminals will definitely start scanning for vulnerable routers. \u2026 Being the gateways of all internet traffic on a local network, [they] are usually the first thing criminals will try to compromise in their attacks. End-of-life devices with known critical vulnerabilities, especially RCE, are considered low hanging fruit.
\n<\/p>\n

Horse\u2019s mouth?<\/strong> Please Retire and Replace – Reported Security Vulnerabilities<\/a>:<\/p>\n

\u201cRecommends that this product be retired<\/tt>\u201d<\/strong>
\nThis exploit affects this legacy D-Link router and all hardware revisions, which have reached their End of Life (“EOL”)\/End of Service Life (“EOS”) Life-Cycle. Products that have reached their EOL\/EOS no longer receive device software updates and security patches and are no longer supported by D-Link. \u2026 When products reach EOS\/EOL, they can no longer be supported, and all firmware development for these products cease.
\n\u2026
\nD-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it. \u2026 If you are an owner of a D-Link Model listed below and live in the US, D-Link will offer you a new DSR-250v2\u202f\u2026\u202ffor 20% off. \u2026 Affected Models: DSR-150, DSR-150N, DSR-250, DSR-250N, DSR-500N, DSR-1000N.
\n<\/p>\n

Less PR flim-flam, please.<\/strong> Mentat74<\/a> translates for us:<\/p>\n

\u201cOur old products are **** and full of security holes that we won’t patch. Please buy our new products!\u201d
\n\u2026
\nAlso:\u202f\u2026\u202fHow convenient that this particular bug has been discovered so soon [after] EOL.
\n<\/p>\n

D-Link doesn\u2019t look so good.<\/strong> NewtonsLaw<\/a> seconds the motion:\u00a0[You\u2019re fired\u2014Ed.]<\/em><\/p>\n

Seriously? \u2026 D-Link just signed its own death-warrant.
\n\u2026
\nWho in their right mind would buy or use any product bearing the D-Link brand if this is the way they deal with flaws in their products that compromise the security and integrity of users’ systems? What are they smoking?<\/i>
\n<\/p>\n

Be vewwy, vewwy qwiet!<\/strong> elmerfud<\/a>\u2019s huntin\u2019 wegulation:<\/p>\n

This is where I wish governments would step in and stop allowing companies to make appliances that are throw away. I understand that a company can only viably support or offer warranty for a limited time period but that should not cause something to become trash when [EOL].
\n\u2026
\nThe right to repair movement focuses mostly on the actual repair of the item but when so many of these items are using microcontrollers that are running software code,\u202f\u2026\u202fthe right to repair the hardware itself is insufficient. The United States is too dumb and too controlled by businesses to pass any meaningful legislation but I would hope that the EU would step up and pass legislation that says when you EOL a prod\u00aduct\u202f\u2026\u202frun\u00adn\u00ading software code, you must also open source [it] along with all appropriate tooling. \u2026 This way the community can continue to repair these devices.
\n\u2026
\nOne other thing that should be considered is that, even though this is an end of life product, this was a defect that existed from the beginning of the life of this product. Therefore this was defective the entire time\u2014it just wasn’t discovered until now. This is another area a legislators need to step in and correct. Automobiles have no time limit on a safety recall. \u2026 It doesn’t matter if it took 15 years to be dis\u00adcov\u00adered,\u202f\u2026\u202fthe manufacturer is required to correct it.
\n<\/p>\n

But is anyone paying attention?<\/strong> MoMonies<\/a> thinks not:<\/p>\n

Chances are that any business that is still using this is completely unaware that they have [one] and that it is now extremely vulnerable.
\n<\/p>\n

However,<\/strong> bill001g<\/a> doesn\u2019t agree:<\/p>\n

They are basically e-waste. Who is really going to be running a router with 100mbps ports nowadays? Commercial equipment is generally replaced long before it hits end of life.
\n<\/p>\n

Meanwhile,<\/strong> where does the company get its name? Mitoo Bobsworth<\/a> has often wondered that:<\/p>\n

D for Dud? I often wondered what it stood for.
\n<\/p>\n

And Finally:<\/h4>\n

Don\u2019t try this at home, kids<\/a><\/b>