So, why does D-Link suck a big one!?! “D-Link Leaves Critical Hole Open for 5 Months, And Counting”

Tim Thorpe – July 1, 2006 9:33 AM

D-Link hasn’t fixed a critical vunerability after it was reported to them 5 months ago

A serious security vulnerability reported last February to D-Link still hasn’t been fixed in a number of routers affected, according to several readers who have emailed DailyTech. The vulnerability allows remote code to be executed through the routers firmware potentially leaving affected customers vulnerable to attack. The vulnerability can give an attacker complete control over any and all network traffic.

The effected products are:

* DI-524 (Wireless)
* DI-604*
* DI-624 (Wireless)
* DI-784* (Wireless)
* EBR-2310*
* WBR-1310 (Wireless)
* WBR-2310 (Wireless)

*(Denotes firmware update available)

D-Link has hardly said a word publicly about the issue and has only patched a small portion of the devices affected. In fact the only word directly from D-Link is from a supposed support staff member in a post on the forums. According to that person the issue has to do with UPnP, a LAN side protocol thus reasoning that the problem isn’t susceptible to WAN or internet side attacks.

Unfortunately because some of the effected routers are wireless it isn’t unlikely that an attacker might compromise the router by gaining access to the wireless portion of the router and injecting malicious code. Even secured wireless routers aren’t foolproof and given enough time and resources these too can be compromised. The only advice that can be given at this point from security researchers is to discontinue using the affected routers until a fix is published by D-Link as there is nothing the consumer can to do mitigate the issue themselves.

D-Link was also recently in the news when its engineers began using a FreeBSD NTP top level server as the primary time server for its devices. The issue was solved eventually, and new routers stopped using the NTP server.


About this entry