Hackers actively exploit critical remote takeover vulnerabilities in D-Link devices

D-Link won't be patching vulnerable NAS devices because they're no longer supported.

See full article...

 

[SeanJW]

I had to look at the site, but D-Link does list phase out dates (2017 for the first one). Which meant that device could have a service life of only 3 years? (2020 was the end date). Oof.
I'd hate to buy a NAS expecting only a 3 year service life.

There’s alternative firmware for that one at least - I had a couple once, and put newer stuff on there that actually had updates before I gave it to a friend… and it’s not accessible on the internet. They’re bare minimal devices, throw some spinning rust in and get a basic mirror.

 

[SeanJW]

There is open source firmware available for most of these models called Alt-F (LINK). While it hasn't been touched in a few years, at least it doesn't have a backdoor.

If nothing else you need that for a more recent Samba version that actually works with current Windows. I was using them for NFS I think so it didn’t matter to me.

 

[SeanJW]

You'd be correct.

Here are a few of the bulletins covering an assortment of popular models:

https://www.fortinet.com/blog/threat-research/d-link-routers-found-vulnerable-rce

• DIR-655
• DIR-866L
• DIR-652
• DHP-1565

https://www.fortinet.com/blog/threa...covers-vulnerability-in--d-link-router-dir868

• Affected models: DIR868L
• Affected firmware: v1.09SHC
• Fixed firmware: v1.21SHCb03

https://www.trustwave.com/en-us/res...iple-security-vulnerabilities-leading-to-rce/

• DSL-2888A

https://www.tenable.com/security/research/tra-2021-44

• DIR-2640

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10302

• DAP-1522
• DIR-300
• DIR-600
• DIR-601
• DIR-629
• DIR-645
• DIR-815
• DIR-816L
• DIR-817Lx
• DIR-818Lx
• DIR-820Lx
• DIR-825
• DIR-850L
• DIR-860L
• DIR-865L
• DIR-868L
• DIR-880L
• DIR-885L/R
• DIR-890L/R
• DIR-895L/R

There are quite a few more, but you get the idea. These aren't obscure devices, either; there were a lot of these in the wild, and no doubt still are, just flapping away in the breeze.

To be fair (and with D-Link, Netgear, Belkin, Linksys et al, it's very difficult to be fair....), most of that stuff is on the inside, and they do make it almost secure on the border. Not that it helps in the slightest in that it's not a perfect record, and being insecure on the inside just means a mass-scan won't happen, they'll just take advantage of your browser to do the compromise instead....

 

[SeanJW]

I sometimes wonder if the law should be that any unsupported software must be either upgraded for a reasonnable cost (say max 20% of the initial cost), or open-sourced incl. update tooling.

I don't see any other way to stop that cycle since security issues are an externality from the sellers' point of vue, especially in the consumer space (corps hopefully take support into account) ? Maybe applicable only to devices/apps directly accessible from the 'net ?

Err....there's open source replacement firmware for these. The links are already in the comments. That's abandoned too btw - last release years ago; last downloadable updates on top of that years ago.

 

[SeanJW]

I think that "we're not going to patch it because it's no longer supported" excuse might need a little regulating in the future when it comes to infrastructure / network equipment, especially if it comes on a device that is in wide use and could lead to potential harm (e.g. botnet, etc.).

In some specific scenarios that could be akin to a car manufacturer claiming the same when a major defect is found .. "yeah, but we're not going to recall or fix it because it's out of support."

That's what "not supported" means. They announced the "not supported" years ago. If you use it after "not supported" it means you're using it knowing it won't get patches. "Not supported" means "if it breaks, you get to keep both of the pieces".