Dlink has a long history of putting out insecure and even backdoored devices and so anyone with a dlink device is probably better off buying something different
Look I am just being grumpy about this and I know it has nothing really substantive to do with the underlying story, which is D-Link EOL'ing products, but: there is really no such thing as a "9.8" or "9.2" vulnerability; there is more actual science in Pitchfork's 0.0-10.0 scale than there is in CVSS.
If anyone is looking for alternatives as far as long term supported products go... I've had nothing but good experiences with Ubiquiti (Unifi) and OpenWRT. At the lower end of the price spectrum, OpenWRT supported devices can be an incredible value, and most will probably remain supported for decades to come.
More broadly, it's not just about the support commitment but also about the company's reputation for shipping solid software. i.e. what is the prior on a scenario like this after the product goes EOL.
To be fair, CVE scores generally don't seem very useful in assessing the real impact of a security vulnerability. The CUPS thing was a 9.9 and that was completely irrelevant for a large swath of people.
The problem is the way those specifics are handled. The Complexity metric is intended to handle the "specific configuration required" scenario but nobody is really incentivized to properly score their stuff.
Wasteful choice enabled by not being entirely responsible for pollution, energy consumption and trash. If they had to pay for environmental full restoration, energy at full cost and careful disposal of unsuitable hardware decision would have been different.
It's a shame that MikroTik routers' UI is completely unsuitable for non-powerusers.
Otherwise they would be perfect. Cheap and supported practically forever. Their trick seems to be that they use a single firmware image for all routers with the same CPU architecture.
They've been trying lately though, you can supposedly set one up for a basic pppoe and dhcp scenario using the Mikrotik phone app and they have a Back To Home wireguard VPN setup app
If you as a user want third-party firmware usually you can jailbreak and install it yourself (especially if the original firmware has zero security). If we allow a vendor to choose to make "the community" responsible for their firmware, almost every vendor will choose that as quickly as possible (e.g. one year).
Not downplaying the risks, but could a vulnerability on a d-link router really let you monitor traffic on the device in a practical sense (as mentioned in the video)? Assuming it is non-SSL is there enough computing power to even do any meaningful monitoring and subsequent exfiltration? Or are the SOCs used on them powerful enough these days.
(several other RCEs require login first, and I could not find an associated login vulnerability. Additionally there are several buffer overflows that theoretically could become an RCE)
I mean... yes? "we no longer support these" devices were hit with critical vulnerabilities, and that'll never get patched, just like any other device that hit EOL.
You knew your device was no longer supported and would no longer receive security updates, "someone found an exploit" is kind of a given, and "d-link won't patch it" equally so?
> You knew your device was no longer supported and would no longer receive security updates
I'm less confident that this is true. I think I know what the EOL is for all my networking equipment[0], you probably know the EOLs on your networking equipment, but I would wager that a majority of the population very understandably regards these things as appliances that you buy, plug in, and then it works indefinitely, and they do not in fact have any clue when the vendor will decide to stop providing security patches for it.
[0] Actually, now that I think about it no I don't; I was thinking of the core bits that I control, but the edge of my network is an ISP-provided box that I know essentially nothing about. Given that I don't manage it, I hope my ISP will send me a new one when it hits EOL but I don't know that.
you are on HN so this makes sense to you. imagine your car was hacked while driving your family in the middle of the desert and bricked. as an adult that bought the car is this your responsibility that you endangered your family’s well-being?
Yeah, the only thing that might make D-Link's position here unreasonable is how long ago the devices hit EOL. Like if it was last week then they are being a bit petty if they don't issue a patch, but on the other hand if it was 10 years ago it is ridiculous to expect them to patch it. I couldn't find that info in the linked article (probably it's somewhere in between the two extremes I mentioned), but without knowing that context I can't really fault a vendor for saying "EOL means EOL, sorry".
> if it was 10 years ago it is ridiculous to expect them to patch it
I don't think even that is "ridiculous". It came out of the factory defective. This isn't about features or maintenance. How many years total would that be since last sale, still less than 15?
Why do you think there is such a thing as 'D-Link haters'?
I don't hate D-Link (I don't care about them anywhere near enough to bother), but I think there's enough of a history of poor security practices to avoid their products...
Sure, but is EOL really a defense given the absolutely pathetic security posture that created this exploit in the first place? Is there a statute of limitations on mind boggling levels of incompetence?
I'd usually give the EOL argument some credit, but this exploit is not an accident, someone deliberately wrote an unauthenticated remote command execution as a feature, and it made it to production, and no one in this long chain of failures thought to themselves "gee, maybe we shouldn't do this"
Here's an article for those who'd rather read than watch someone's youtube video:
https://www.techradar.com/pro/security/d-link-says-it-wont-p...
Dlink has a long history of putting out insecure and even backdoored devices and so anyone with a dlink device is probably better off buying something different
Ok, we've changed to that from https://www.youtube.com/watch?v=52v6gKPA4TM above. Thanks!
Another 60,000 devices ripe for malicious entities to use in their botnet.
Look I am just being grumpy about this and I know it has nothing really substantive to do with the underlying story, which is D-Link EOL'ing products, but: there is really no such thing as a "9.8" or "9.2" vulnerability; there is more actual science in Pitchfork's 0.0-10.0 scale than there is in CVSS.
If anyone is looking for alternatives as far as long term supported products go... I've had nothing but good experiences with Ubiquiti (Unifi) and OpenWRT. At the lower end of the price spectrum, OpenWRT supported devices can be an incredible value, and most will probably remain supported for decades to come.
More broadly, it's not just about the support commitment but also about the company's reputation for shipping solid software. i.e. what is the prior on a scenario like this after the product goes EOL.
Or well… if you have one of these models, this is the way.
https://openwrt.org/toh/d-link/start
Background on the underlying context of the bug: https://www.youtube.com/watch?v=-vpGswuYVg8 -- It's objectively unforgivable.
TL;DW:
Call GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27
account_mgr.cgi is safe, it takes web parameters "name", "pw" and calls the equivalent of
"account" was written by the intern and runsTo be fair, CVE scores generally don't seem very useful in assessing the real impact of a security vulnerability. The CUPS thing was a 9.9 and that was completely irrelevant for a large swath of people.
I'm pretty sure a 9.8 CVE for something connected directly to WAN is a very bad thing.
The point is that the title puts the number up there to sensationalize. It doesn't concretely explain the scope or magnitude of the vulnerability.
The problem is the way those specifics are handled. The Complexity metric is intended to handle the "specific configuration required" scenario but nobody is really incentivized to properly score their stuff.
Most "Critical" thing is: you buy a new router that is not from Duh-Link.
I remember this happened before, and someone smarter than me exploited the vulnerability to access every router and patch it remotely.
Related:
D-Link tells users to trash old VPN routers over bug too dangerous to identify
https://news.ycombinator.com/item?id=42201639
Wasteful choice enabled by not being entirely responsible for pollution, energy consumption and trash. If they had to pay for environmental full restoration, energy at full cost and careful disposal of unsuitable hardware decision would have been different.
how about this: you can only abandon hardware if you enable open firmware on it.
It's a shame that MikroTik routers' UI is completely unsuitable for non-powerusers.
Otherwise they would be perfect. Cheap and supported practically forever. Their trick seems to be that they use a single firmware image for all routers with the same CPU architecture.
They've been trying lately though, you can supposedly set one up for a basic pppoe and dhcp scenario using the Mikrotik phone app and they have a Back To Home wireguard VPN setup app
Just opensource the firmware and redirect the update url.
That doesn't set a good precedent though. The community shouldn't be expected to carry every IoT device.
Maybe not, but it'd be nice to have the option. Wouldn't it?
If you as a user want third-party firmware usually you can jailbreak and install it yourself (especially if the original firmware has zero security). If we allow a vendor to choose to make "the community" responsible for their firmware, almost every vendor will choose that as quickly as possible (e.g. one year).
D-Link says buy a new router after vulnerability emerges after the signposted end of support date.
Having experienced D-link products first hand I’d say that anyone with a D-link product should buy something else anyway.
Something that supports OpenWRT.
Not downplaying the risks, but could a vulnerability on a d-link router really let you monitor traffic on the device in a practical sense (as mentioned in the video)? Assuming it is non-SSL is there enough computing power to even do any meaningful monitoring and subsequent exfiltration? Or are the SOCs used on them powerful enough these days.
It’s powerful enough to mitm traffic if you get someone to install a certificate, and it can easily pass packets where ever the attacker wants.
True I was thinking of packet analysis being intensive but simpler MITM/splitting it outbound makes senses.
Ransomware and bricking would probably be the primary risk though. And security cams, NAS, printers, etc.
This is also true of every intermediate router between you and the destination.
TLS would not need to exist otherwise.
Most intermediate routers don't have easily exploitable holes allowing attackers to take them over to MITM traffic though...
Discussion around this seems very confused; there are quite a few severe vulnerabilities this year in various products (routers and NASes).
https://nvd.nist.gov/vuln/detail/CVE-2024-3273 https://supportannouncement.us.dlink.com/security/publicatio... (April 4) affects NASes (DNS-* products, same as one of the November vulnerabilities), no fix, official recommendation "buy a new one".
https://nvd.nist.gov/vuln/detail/CVE-2024-45694 https://supportannouncement.us.dlink.com/security/publicatio... (September 16) affects routers (DIR-* products), fix by upgrading frimware
https://nvd.nist.gov/vuln/detail/CVE-2024-10914 https://supportannouncement.us.dlink.com/security/publicatio... (November 6) affects NASes (DNS-* products), no fix, official recommendation "buy a new one" (despite not selling NASes anymore?).
CVE-2024-10915 looks to be identical to CVE-2024-10914 at a glance
https://nvd.nist.gov/vuln/detail/CVE-2024-11066 https://supportannouncement.us.dlink.com/security/publicatio... (November 11) affects routers (DSL* products), no fix, official recommendation "buy a new one". Note that you need to look at multiple CVEs to get the full picture here.
(no CVE?) https://supportannouncement.us.dlink.com/security/publicatio... (November 18) affects routers (DSR-* products), no fix, official recommendation "buy a new one".
(several other RCEs require login first, and I could not find an associated login vulnerability. Additionally there are several buffer overflows that theoretically could become an RCE)
I mean... yes? "we no longer support these" devices were hit with critical vulnerabilities, and that'll never get patched, just like any other device that hit EOL.
You knew your device was no longer supported and would no longer receive security updates, "someone found an exploit" is kind of a given, and "d-link won't patch it" equally so?
> You knew your device was no longer supported and would no longer receive security updates
I'm less confident that this is true. I think I know what the EOL is for all my networking equipment[0], you probably know the EOLs on your networking equipment, but I would wager that a majority of the population very understandably regards these things as appliances that you buy, plug in, and then it works indefinitely, and they do not in fact have any clue when the vendor will decide to stop providing security patches for it.
[0] Actually, now that I think about it no I don't; I was thinking of the core bits that I control, but the edge of my network is an ISP-provided box that I know essentially nothing about. Given that I don't manage it, I hope my ISP will send me a new one when it hits EOL but I don't know that.
As an adult paying for your ISP service: you have some responsibility here. Whether you want that responsibility or not.
you are on HN so this makes sense to you. imagine your car was hacked while driving your family in the middle of the desert and bricked. as an adult that bought the car is this your responsibility that you endangered your family’s well-being?
Yeah, the only thing that might make D-Link's position here unreasonable is how long ago the devices hit EOL. Like if it was last week then they are being a bit petty if they don't issue a patch, but on the other hand if it was 10 years ago it is ridiculous to expect them to patch it. I couldn't find that info in the linked article (probably it's somewhere in between the two extremes I mentioned), but without knowing that context I can't really fault a vendor for saying "EOL means EOL, sorry".
> if it was 10 years ago it is ridiculous to expect them to patch it
I don't think even that is "ridiculous". It came out of the factory defective. This isn't about features or maintenance. How many years total would that be since last sale, still less than 15?
I cannot identify who the aggrieved parties are, aside from bandwagoning D-Link haters.
These devices are end of life. Anyone running an EOL device doesn't care about security and probably wouldn't update the firmware if it was available.
For comparison, Apple does not update EOL devices outside exceptional circumstances. I never received a 20% discount to upgrade.
Why do you think there is such a thing as 'D-Link haters'?
I don't hate D-Link (I don't care about them anywhere near enough to bother), but I think there's enough of a history of poor security practices to avoid their products...
Sure, but is EOL really a defense given the absolutely pathetic security posture that created this exploit in the first place? Is there a statute of limitations on mind boggling levels of incompetence?
I'd usually give the EOL argument some credit, but this exploit is not an accident, someone deliberately wrote an unauthenticated remote command execution as a feature, and it made it to production, and no one in this long chain of failures thought to themselves "gee, maybe we shouldn't do this"
We could have passed a law requiring minimum security standards but we didn't. The result was predictable and here it is.
How long should a consumer expect their modem to last? How long ago were they last being sold at retailers?
Wait, has Apple ever exposed an end-point like this?
Do we know how they'd react if they ever did?