D-Link won't be patching vulnerable NAS devices because they're no longer supported.
See full article...
See full article...
Hackers actively exploit critical remote takeover vulnerabilities in D-Link devices
- Thread starter JournalBot
- Start date
I had to look at the site, but D-Link does list phase out dates (2017 for the first one). Which meant that device could have a service life of only 3 years? (2020 was the end date). Oof.
I'd hate to buy a NAS expecting only a 3 year service life.
I'd hate to buy a NAS expecting only a 3 year service life.
Upvote
138
(139
/
-1)
There should be a legal requirement to fix or replace anything that is vulnerable because the manufacturer hard-coded credentials into it that can allow remote access. A "we made a mistake" bug/vulnerability I can accept not being fixed when the hardware was introduced 14 years ago and hasn't been supported for 7, even if it's severe, especially for a product that is relatively niche like a NAS. (It's not on billions of devices like Windows or MacOS.)
Upvote
91
(93
/
-2)
OK, hardcoded username and password, old hat... but the screenshot is implying that the backdoor account didn't have a password. Am I reading that right?
Wow D-Link, just wow.
Wow D-Link, just wow.
Upvote
127
(128
/
-1)
There’s alternative firmware for that one at least - I had a couple once, and put newer stuff on there that actually had updates before I gave it to a friend… and it’s not accessible on the internet. They’re bare minimal devices, throw some spinning rust in and get a basic mirror.
Upvote
21
(21
/
0)
The DNS-320L was available at least from mid-2012, with a phase out of late 2017 (meaning it stopped being sold but they still supported it, so that was 5 years of active sales) and a last date of support in 2019 (the link is for the DNS-320, not the L) so even if you bought one right at the end (ignoring stores still selling the model to clear their stock), you only got 2 years of support. But it's pretty obvious when you're searching for devices like this that new models have been introduced, and this model would have been dropping in price because it was approaching the end of its life. It would be a conscious choice in most markets to buy an older model that had a shorter expected support span in order to save money. And of course none of these companies guarantee they're going to provide any updates at all, even within the support period.
Upvote
12
(18
/
-6)
I always make sure to allow inbound traffic from the Internet to be able to reach my D-Link routers.
It's the only way I can be sure to know if they have been compromised.....
It's the only way I can be sure to know if they have been compromised.....
Upvote
53
(55
/
-2)
I'm surprised again. Why do these have a public, internet-accessible http api in the first place? Remote has not been a reason for such incredibly stupid move for more than 15 years!
Edit: it seems some work have been done on the openwrt front to support some of these models.
Edit: it seems some work have been done on the openwrt front to support some of these models.
Upvote
27
(28
/
-1)
I stopped with D-link years back. I’m surprised any of their hardware is still functioning to be exploited.
Upvote
19
(19
/
0)
Upvote
58
(60
/
-2)
Hey, it has a password. That password just happens to be the null string.
Seems safe to me, I never would have guessed it . . .
Upvote
61
(62
/
-1)
If its any consolation, a lot of this D-Link hardware has probably died or been replaced. I hope. Thanks for fucking nothing.
Can we please require hardware vendors print their support timeframes on the box, and mandate they offer at least 8 years of security updates?
Can we please require hardware vendors print their support timeframes on the box, and mandate they offer at least 8 years of security updates?
Upvote
33
(35
/
-2)
Let's please not needlessly intentionally brick things. Dallas CMOS batteries are already bad enough.
Upvote
44
(45
/
-1)
It looks like the messagebus user was supposed to be a service account but was accidentally left with login enabled. Whoopsie. I don't know about these particular models but external access to the management interface is normally disabled. You get problems if it's enabled (grandma's WiFi keeps going down) or if malicious code gets inside your network. And there's a low bar: viewing a web page specifying that url (at 192.168.1.1) as an image would probably work.
Allowing arbitrary shell code to be executed from a URL seems a poor design, even if it's supposed to be authenticated. Passing a plaintext password in the URL is also bad.
Allowing arbitrary shell code to be executed from a URL seems a poor design, even if it's supposed to be authenticated. Passing a plaintext password in the URL is also bad.
Upvote
19
(19
/
0)
Back in the 1990s, I recall finding a network service that was open unauthenticated to the Internet. I panicked, took the whole Internet connection down, fixed the firewall rules, and brought things back up. Some people weren't very happy, but were mollified when I explained that there had been a device sitting in our network that was accessible to anyone on the Internet who knew to look for it.
Fast forward to the 201x's. I saw a reasonably priced WD external drive for sale and thought "Great! I can use this to expand my local storage and it even has built in NAS services!" Then I noticed that the NAS was on by default and connected out to their cloud interface to manage access. That product quickly went on my Do Not Buy list. A few years later, it was the target of an attack much like this one, and most of the devices were out of support, and so Western Digital wasn't providing updates to fix these things that let anyone access them from the Internet and through a vulnerability, gain full control of the drive's operating system.
WHY DON'T WE LEARN????
It's trivially simple to by default only allow systems like this to operate on a local network. It's also trivially simple to have cable modems/wifi access points/routers/firewalls automatically block incoming traffic. And cloud-based management portals are all well and good, but shouldn't be default-on with no 2fA required, and shouldn't be implemented such that the only thing standing between remote access and the physical device is a vendor's assurances that it is handling privacy and security appropriately.
We solved these issues 30 years ago. Why do we keep ignoring history and expecting different results because of some new buzzword?
Fast forward to the 201x's. I saw a reasonably priced WD external drive for sale and thought "Great! I can use this to expand my local storage and it even has built in NAS services!" Then I noticed that the NAS was on by default and connected out to their cloud interface to manage access. That product quickly went on my Do Not Buy list. A few years later, it was the target of an attack much like this one, and most of the devices were out of support, and so Western Digital wasn't providing updates to fix these things that let anyone access them from the Internet and through a vulnerability, gain full control of the drive's operating system.
WHY DON'T WE LEARN????
It's trivially simple to by default only allow systems like this to operate on a local network. It's also trivially simple to have cable modems/wifi access points/routers/firewalls automatically block incoming traffic. And cloud-based management portals are all well and good, but shouldn't be default-on with no 2fA required, and shouldn't be implemented such that the only thing standing between remote access and the physical device is a vendor's assurances that it is handling privacy and security appropriately.
We solved these issues 30 years ago. Why do we keep ignoring history and expecting different results because of some new buzzword?
Upvote
37
(37
/
0)
If we’re offering wild ideas that will never happen for $reasons, how about open sourcing at the EoL date? Let the community figure it out.
Upvote
46
(46
/
0)
Maybe I misunderstood you but how would it be better if there was a hardcoded username and password? What's pathetic is the hardcode not that there's two values or one.
Upvote
9
(9
/
0)
Networked devices should legally have to have their end of support date advertised prominently where ever they are sold or advertised.
Upvote
15
(16
/
-1)
This is why we need legal protections for someone who identifies this issue, gets no response from the manufacturer and then remotely bricks the all the devices.
Upvote
-6
(5
/
-11)
I finally figured out what the D refers to: the grade they got in infosec class
Upvote
15
(15
/
0)
D-Link, ducking their responsibility is ... grosse. And to arrogantly announce the same is a violation of what the term responsibility means. They are saying that because the owners of our previous devices did NOT buy our new, and safer (now) devices, what happens to them is their fault.
This is corporate greed and bullshit.
I'll never buy another product from these a-holes.
This is corporate greed and bullshit.
I'll never buy another product from these a-holes.
Upvote
7
(8
/
-1)
Pointillism
Wise, Aged Ars Veteran
It might not be impacted by this particular vulnerability but there are other vulnerabilities w/ that device that D-Link didn't fix. Here's one example that I found but I'm sure there are others.
Upvote
5
(5
/
0)
I'd love to better understand why anyone would expose a NAS to the Internet. Ok, that's a lie. I wouldn't want to spend even one second hearing someone justify something so blatantly stupid.
Upvote
-3
(5
/
-8)
Yes, I used this firmware for years before retiring my DNS-323. It was soooo much better than D-Link original firmware. Now for my very simple NAS I have an ODROID HC4 + openmediavault (and just using a Linux distro was also an option): cheap, quiet, no problem whatsoever since months.
Upvote
2
(2
/
0)
I've been using Windows 10, and now Windows 11, with Stable-bit DrivePool for my home storage. This setup replaced my Windows Home Server 2011 setup, that I was using before. In fact I started using Stable-bit even when I was running Windows Home server as the drive pooling was much better with stable-bit, Works great for mixing and matching hardware drives of various sizes, with redundancy built-in. The setup has been running great for 10+ years, with hardware updates done sporadically when needed. I still get updates from Stable-bit fairly regularly (and of course rely on Windows update for security). I've had up to 10 drives in the drive pool, but am now down to 5 larger drives (30 TB total). I would highly recommend Stable-bit of you want a simple setup where you an mix and match drives, and want long-term support, and don't mind the system running windows. Won't be as power efficient as a NAS, but having windows also lets you do other things, such as running a minecraft server, etc...
Upvote
-1
(1
/
-2)
Seems like a basic firewall would stop that. Don't let access into your network from the outside for any device on your home network.
I'll bet this is mostly for people that setup it up so they can access it away from home or share data over the interweb
.
I'll bet this is mostly for people that setup it up so they can access it away from home or share data over the interweb
.
Upvote
0
(1
/
-1)
It's apparently possible to install mainline Debian on most of these devices, which are beefier than I expected. But it requires soldering a serial header into the main board, something I don't imagine many consumers of cut-price devices like this would be inclined to do.
Still,.there's no good reason OpenWRT couldn't be ported over, these have more than enough CPU power, ram, and flash space to accommodate that. And since they're likely to start turning up on recycling and thrift shop shelves soon, maybe it'll happen.
Still,.there's no good reason OpenWRT couldn't be ported over, these have more than enough CPU power, ram, and flash space to accommodate that. And since they're likely to start turning up on recycling and thrift shop shelves soon, maybe it'll happen.
Upvote
5
(5
/
0)
My synology is exposed to the internet. It allows me, among other things, to listen to my music collection (lossless rips of CDs) while on the go, or watch my movies while visitn my parents and family some 120Km away.
If I were so inclined, I could set up a persoal cloud, including collaboartion, email, and cloud drive.
While I was teaching Cloud Computing (openstack) all over LatAm, having my NAS connected to the internet allowed me to retrive documents (technical or otherwise) as needed. Normally about things adjacent but not related to the training, so as to generate rapport with the students.
Those are my reasons.
Edit: My NAS is a Synology DS1515+. If you plan to hook up your NAS to the internet, better get a decent NAS, from Synology, or QNAP or some other reputable NAS maker...
¿D-Link? I do not know, but the name does not inspire confidence.
Upvote
-6
(5
/
-11)
Aren't these DLinks trivially hackable by LAN devices? Including webpages running Javascript on trusted PCs?
Upvote
4
(4
/
0)
"D-Link said it had no plans to patch the vulnerabilities, which are present only in end-of-life devices, meaning they are no longer supported by the manufacturer."
Watch this...
Patch the vulnerabilities, then they're supported by the manufacturer so it's okay to have patched the vulnerabilities.
A tautology does not a good argument make.
Seriously, this shouldn't be allowed. Sorry, but vehicle manufacturers in the US have to do safety recall work out to fifteen years, even if the car is out of warranty, or out of production, or both. Software issues that jeopardize data should be in the same category. If DLink (or anyone else) wants to stop fixing the flaws they shipped their product with before fifteen years have gone by, I guess they'll just have to go out of business. And not sell their assets and liabilities in the bankruptcy.
Watch this...
Patch the vulnerabilities, then they're supported by the manufacturer so it's okay to have patched the vulnerabilities.
A tautology does not a good argument make.
Seriously, this shouldn't be allowed. Sorry, but vehicle manufacturers in the US have to do safety recall work out to fifteen years, even if the car is out of warranty, or out of production, or both. Software issues that jeopardize data should be in the same category. If DLink (or anyone else) wants to stop fixing the flaws they shipped their product with before fifteen years have gone by, I guess they'll just have to go out of business. And not sell their assets and liabilities in the bankruptcy.
Upvote
2
(6
/
-4)
Can we get a guide that is continually updated for what wifi routers to buy that get security updates 'til the cows come home (e.g. ship w/ open source self updating or have really long mfr support)? I really ought to replace my router (unless I flash the firmware - it's like 10+ years old) and trying to go through all the makers and models is just unpleasant.
Upvote
2
(2
/
0)
I wouldn’t trust any remote connection to internal system that doesn’t pass through a VPN and even in such cases I am very reluctant to expose something from the internal home network. It is just too risky for the benefit of accessing photos or documents that can be stored in a 2FA protected cloud service.
Upvote
13
(13
/
0)