D-Link says it won't patch 60k older modems

267 点作者 lobo_tuerto6 个月前

29 条评论

Here's an article for those who'd rather read than watch someone's youtube video:<a href="https://www.techradar.com/pro/security/d-link-says-it-wont-patch-60-000-older-modems-as-theyre-not-worth-saving" rel="nofollow">https://www.techradar.com/pro/security/d-link-says-it-wont-p...</a>Dlink has a long history of putting out insecure and even backdoored devices and so anyone with a dlink device is probably better off buying something different

评论 #42252311 未加载

评论 #42252693 未加载

评论 #42256818 未加载

评论 #42251887 未加载

ak2176 个月前

If anyone is looking for alternatives as far as long term supported products go... I've had nothing but good experiences with Ubiquiti (Unifi) and OpenWRT. At the lower end of the price spectrum, OpenWRT supported devices can be an incredible value, and most will probably remain supported for decades to come.More broadly, it's not just about the support commitment but also about the company's reputation for shipping solid software. i.e. what is the prior on a scenario like this after the product goes EOL.

评论 #42252594 未加载

评论 #42253739 未加载

评论 #42252859 未加载

评论 #42252419 未加载

评论 #42256352 未加载

评论 #42256008 未加载

评论 #42252815 未加载

mitjam6 个月前

This is something the EU Product Liability Directive potentially addresses. It demands that vendors (or importers) of products need to update their product if that's required to keep them secure. Otherwise they are liable for damages, even psychological damages.There is no specific duration mentioned in the directive, so it's probably best from a vendor point of view to add product lifetime info to the product description or the contract, up front.In Germany there is something similar in place, already and the expectation is that products (and necessary apps to run the products) need to be updated for 5 years on average.

评论 #42255558 未加载

评论 #42255557 未加载

smitelli6 个月前

Background on the underlying context of the bug: <a href="https://www.youtube.com/watch?v=-vpGswuYVg8" rel="nofollow">https://www.youtube.com/watch?v=-vpGswuYVg8</a> -- It's objectively unforgivable.

评论 #42251970 未加载

alias_neo6 个月前

I've had a box of old wifi-routers for years that I'd been meaning to reverse engineer and write up blog posts on the vulnerabilities to educate people on just how poor quality the software is written for the things you buy in your local electronics store. Every 3-4 years I'd have to buy another because the manufacturer stopped providing updates, even when I was buying their higher-end stuff.I myself moved on to an Ubiquiti Edge Router almost 10 years ago, but Ubiquiti didn't do a great job of that in the long term and they ditched the EdgeRouter/EdgeMAX line so I ended up (and I wasn't interested in Unifi line for my router/firewall) buying a Protectli box, flashed coreboot and used pfSense for a while before eventually moving to OPNSense.I came to the conclusion over this time that any consumer network equipment is basically junk and if you care at all about security you shouldn't use it; sadly that's easier said than done for non-techy folks.Many pieces of older/cheaper hardware can be flashed with OpenWRT and I'd recommend that as the cheapest option for anyone who cares just a little, and doesn't want to buy new hardware, and for everyone who really wants to make an effort should buy some hardware that can run a properly maintained router OS like pfSense or OPNSense, even an all-in-one wifi-router-switch if you don't want to build out an entire SMB network.

评论 #42257586 未加载

486sx336 个月前

Or well… if you have one of these models, this is the way.<a href="https://openwrt.org/toh/d-link/start" rel="nofollow">https://openwrt.org/toh/d-link/start</a>

评论 #42252800 未加载

tptacek6 个月前

Look I am just being grumpy about this and I know it has nothing really substantive to do with the underlying story, which is D-Link EOL'ing products, but: there is really no such thing as a "9.8" or "9.2" vulnerability; there is more actual science in Pitchfork's 0.0-10.0 scale than there is in CVSS.

评论 #42254487 未加载

fresh_broccoli6 个月前

It's a shame that MikroTik routers' UI is completely unsuitable for non-powerusers.Otherwise they would be perfect. Cheap and supported practically forever. Their trick seems to be that they use a single firmware image for all routers with the same CPU architecture.

评论 #42254178 未加载

评论 #42251962 未加载

评论 #42253004 未加载

wuming26 个月前

Wasteful choice enabled by not being entirely responsible for pollution, energy consumption and trash. If they had to pay for environmental full restoration, energy at full cost and careful disposal of unsuitable hardware decision would have been different.

评论 #42254932 未加载

zahlman6 个月前

To be fair, CVE scores generally don't seem very useful in assessing the real impact of a security vulnerability. The CUPS thing was a 9.9 and that was completely irrelevant for a large swath of people.

评论 #42252486 未加载

评论 #42253657 未加载

评论 #42251597 未加载

评论 #42255380 未加载

评论 #42251925 未加载

slimebot806 个月前

Most "Critical" thing is: you buy a new router that is not from Duh-Link.

guidedlight6 个月前

I remember this happened before, and someone smarter than me exploited the vulnerability to access every router and patch it remotely.

markhahn6 个月前

how about this: you can only abandon hardware if you enable open firmware on it.

ChrisArchitect6 个月前

Related:D-Link tells users to trash old VPN routers over bug too dangerous to identify<a href="https://news.ycombinator.com/item?id=42201639">https://news.ycombinator.com/item?id=42201639</a>

clwg6 个月前

Just opensource the firmware and redirect the update url.

评论 #42251596 未加载

评论 #42255690 未加载

isodev6 个月前

Can't there be a law that says something like "you can't release new hardware while you have unpatched older hardware still in use"? Recall or update your stuff first, release new things second.

评论 #42253097 未加载

评论 #42253443 未加载

评论 #42253023 未加载

znkynz6 个月前

D-Link says buy a new router after vulnerability emerges after the signposted end of support date.

评论 #42252003 未加载

pt_PT_guy6 个月前

One of the reasons why there are major security f-ups: no accountability and no consequences

pcl6 个月前

I see a lot of comments here recommending OpenWRT. I’ve been happy with it in some deployments, but also don’t overlook the alternatives! I just had a wonderful experience with Fresh Tomato repurposing an integrated router / AP / 4-port switch as a multi-WAN router.It would have been doable with OpenWRT’s robust scripting support, but was just a few clicks in the UI with Fresh Tomato.<a href="https://freshtomato.org/" rel="nofollow">https://freshtomato.org/</a><a href="https://en.m.wikipedia.org/wiki/Tomato_(firmware)" rel="nofollow">https://en.m.wikipedia.org/wiki/Tomato_(firmware)</a>

dmix6 个月前

Not downplaying the risks, but could a vulnerability on a d-link router really let you monitor traffic on the device in a practical sense (as mentioned in the video)? Assuming it is non-SSL is there enough computing power to even do any meaningful monitoring and subsequent exfiltration? Or are the SOCs used on them powerful enough these days.

评论 #42251580 未加载

DocTomoe6 个月前

„Just buy a new modem“ they say … sure won’t be a D-Link ever again.

chipweinberger6 个月前

The D-Link DSR-150 was released in 2012It was the first information I wanted to know, but it wasn't in the article.

a1o6 个月前

Any good router access point that has nice gigabit Ethernet and really good WiFi, for a second access point in the house?

sitkack6 个月前

I could see them facing criminal liability here. Someone is having hard conversations with their insurance company.

o11c6 个月前

Discussion around this seems very confused; there are quite a few severe vulnerabilities this year in various products (routers and NASes).<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-3273" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-3273</a> <a href="https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383" rel="nofollow">https://supportannouncement.us.dlink.com/security/publicatio...</a> (April 4) affects NASes (DNS-* products, same as one of the November vulnerabilities), no fix, official recommendation "buy a new one".<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-45694" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-45694</a> <a href="https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10412" rel="nofollow">https://supportannouncement.us.dlink.com/security/publicatio...</a> (September 16) affects routers (DIR-* products), fix by upgrading frimware<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-10914" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-10914</a> <a href="https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10413" rel="nofollow">https://supportannouncement.us.dlink.com/security/publicatio...</a> (November 6) affects NASes (DNS-* products), no fix, official recommendation "buy a new one" (despite not selling NASes anymore?).CVE-2024-10915 looks to be identical to CVE-2024-10914 at a glance<a href="https://nvd.nist.gov/vuln/detail/CVE-2024-11066" rel="nofollow">https://nvd.nist.gov/vuln/detail/CVE-2024-11066</a> <a href="https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10414" rel="nofollow">https://supportannouncement.us.dlink.com/security/publicatio...</a> (November 11) affects routers (DSL* products), no fix, official recommendation "buy a new one". Note that you need to look at multiple CVEs to get the full picture here.(no CVE?) <a href="https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10415" rel="nofollow">https://supportannouncement.us.dlink.com/security/publicatio...</a> (November 18) affects routers (DSR-* products), no fix, official recommendation "buy a new one".(several other RCEs require login first, and I could not find an associated login vulnerability. Additionally there are several buffer overflows that theoretically could become an RCE)

Uptrenda6 个月前

Yeah, this doesn't surprise me one bit. The number of vulns that get patched in home routers is staggering (D-Link is particularly shit-tier and known for this.) If there's that many vulns being fixed then imagine the backlog of unfixed vulns... Then imagine how many legitimate issues have to be hand-waved away because engineers know there's no way in hell they'll ever get the time to fix them. And have to prioritize the worst problems.It kind of surprises me that you can just release a commercial product that is dangerous, make tons of money from it, then totally refuse to fix any problems with it. These devices are going to sit on innocent peoples networks who deserve to have privacy and security like anyone else. It's not outside the realm of possibly that an owned device leads to crypto extortion which leads to a business going under. Or maybe someone's intimate pics get stolen and that person then... yeah. Security has a human cost when its done badly.

seam_carver6 个月前

Huh I recently retired all my Dlink routers as soon as they stopped getting security updates, lucky me.

评论 #42259615 未加载

TheRealPomax6 个月前

I mean... yes? "we no longer support these" devices were hit with critical vulnerabilities, and that'll never get patched, just like any other device that hit EOL.You knew your device was no longer supported and would no longer receive security updates, "someone found an exploit" is kind of a given, and "d-link won't patch it" equally so?

评论 #42251918 未加载

评论 #42252002 未加载

likeabatterycar6 个月前

I cannot identify who the aggrieved parties are, aside from bandwagoning D-Link haters.These devices are end of life. Anyone running an EOL device doesn't care about security and probably wouldn't update the firmware if it was available.For comparison, Apple does not update EOL devices outside exceptional circumstances. I never received a 20% discount to upgrade.

评论 #42256353 未加载

评论 #42255162 未加载

评论 #42251859 未加载

评论 #42251673 未加载

评论 #42259675 未加载

评论 #42251825 未加载

评论 #42251627 未加载