back to article D-Link issues rip and replace order for besieged NAS drives

D-Link is telling owners of expired NAS devices to pack them away and replace them with newer kit following the publication of security vulnerabilities that together are now being actively exploited. It doesn't help that the devices, that reached their end-of-service (EOS) date years ago, have a backdoor (CVE-2024-3272, CVSS: …

  1. may_i

    Great business plan!

    1. Make something useful

    2. Put lots of security holes in it

    3. Stop updating it and fixing the holes

    4. Offer a new version with new holes

    5. Profit!

    I have a similar, cheap as chips, Zyxel NAS. It was also full of holes plus some spyware that tried to download everything I uploaded to it.

    It runs Debian now. It can't be reached from the Internet and doesn't open any external connections either. It's a great backup device for my real NAS. No replacement needed!

    1. Drake Maijstral

      Re: Great business plan!

      Eh, this has always been D-Stink's business model. About twenty years ago, they had a few models of wifi AP that were found to be vulnerable to a DoS via telnet (oh man, those were the days! :P ).

      Did they release updated firmware for those models? Nope! D-Link's 'fix' was to add a FAQ entry that said 'If you're doing this - STOP'.

      https://web.archive.org/web/20060321030338/http://support.dlink.com/faq/view.asp?prod_id=1269&question=DI-604%20/%20DI-614+%20/%20DI-624%20/%20DI-754%20/%20DI-764%20/%20DI-774%20/%20DI-604E1%20/%20%20DI-614+revB%20/%20DI-624C%20/%20DI-774B

      After two decades, anyone still surprised by D-Link's piss-poor product support hasn't been paying attention. :)

  2. abend0c4 Silver badge

    Enabled by hardcoded credentials

    Not a flaw caused by the ageing of the hardware - or indeed the software - so I'm not sure why supposed life-expiry is relevant.

    1. Dave 126 Silver badge

      Re: Enabled by hardcoded credentials

      Indeed, it clearly wasn't 'fit for the purpose for which it was sold' at the time it was sold. Once upon a time this would mean that it was the seller's responsibility to replace it, regardless of guarantee period - I haven't kept up on what the current state of the loopholes that tech companies use to dodge responsibility.

      1. Missing Semicolon Silver badge

        Re: Enabled by hardcoded credentials

        I'm sure it pretty well is. Any security hole was present at the point of sale.

        I think D-Link thing we believe that software "rots" so that security holes "emerge". We need to remind people that this is not so.

      2. I could be a dog really Bronze badge

        Re: Enabled by hardcoded credentials

        The problem is that it would be a civil case to recover damages (refund or replacement). In England the limit for bringing such cases is 6 years, in Scotland it's 5 years (IIRC). Technically, there is no time limit to the Sale of Goods and Services Act (or whatever it's successor is called these days), but after 6 years you can go swivel as no court will accept your case as it's time excluded. So unless you bought one of these "old" devices new within the last 6 years, then you have no recourse.

        But the thing to take away from this is as others have said - take it as notice of what the vendor thinks about security. And to be fair to D-Link, it's common practice - I'd say it's standard practice in the tech world. So check out what the vendor's lifespan policy is, i.e. how long you can expect support for whatever* you are buying.

        * I nearly inserted "cheap s**t" in there, but this applies to expensive kit as well - e.g. when Cisco stuff reaches end of support, that's it.

  3. williamyf

    You can "TRY" patching that NAS with ALT-F

    ALT-F Provided ALTernative-Firmware for D-Link NASes, many of which are the subject of this CVE. AS an added bonus, said updates provided support beyon the SMB1 only support D-Link provided.

    I do not have a D-Link NAS, and heard about ALT-F thanks to user jm1 over at Ars

    I say "provided" because the last major firmware they provided is dated 2017, and the last patch of said FW was a few months latter. But still, better than nothing, I guess, doubly so if it plugs this particular hole.

    A little more time to save up for a newer NAS from a reputable source, and with a decent CPU, so it gets a long support window

    Other than that, you know the ussual routine: block acess to the NAS to and from the internet, harden the NASs security configuration, etc...

    Link: https://sites.google.com/site/altfirmware

    1. may_i

      Re: You can "TRY" patching that NAS with ALT-F

      Just don't make your NAS accessible from the Internet. Even if you *think* it is fully patched. Is anything really that important that you're prepared to make your NAS a honeypot?

      Even if your shiny new NAS is from "a reputable source", it isn't suitable for putting on the Internet.

      A long time ago, I had a QNAP NAS. I used their service which functioned as a proxy so that I could access my NAS when I was away from home. It was only when I heard the NAS running its fan at full speed when it wasn't supposed to be doing anything that I found out I had been owned. Some enterprising people had broken in to QNAP's proxy and planted their Monero miner on tens of thousands of customer machines.

      I was lucky this was before the ransomware gangs got started.

  4. Anonymous Coward
    Anonymous Coward

    not sure what's dumber...

    Hardcoded username/password was a dumb idea that has been burning people for decades now. Pair that with exposing a NAS to the Internet... well that's just bad news.

    If you really need a break glass emergency access username/password, at least make it unique to the device and print a label for inside or underneath the box.

    Now, in this case, if Dnet really has 92,000 vulnerable devices on the Internet, I feel like they have some obligation to offer up a patch, at least for the backdoor account. This isn't like some super genius figured out some insanely clever way to exploit a race condition, this was an extremely predictable outcome of bad security choices.

    1. mIVQU#~(p,

      Re: not sure what's dumber...

      They were pitched as internet facing / access from anywhere. People that bought them for those features don’t know any better.

  5. Doctor Syntax Silver badge

    "Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link.

    "D-Link US recommends that D-Link devices that have reached EOL/EOS be retired and replaced."

    Translation: "Don't buy our products."

  6. Dwarf

    Who decides end of life ?

    If I’ve purchased something, I get to choose when it’s come to the end of its useful life, not the manufacturer.

    What we need is for businesses to be compelled to release the code for devices they can’t be bothered with any more so that others can make better firmware.

    You can then bet that manufactures will then start taking more notice and building longer lifespan devices. This also helps to slow down the throw away culture.

    Personally, I’ve got no interest in replacing everything I own every 3-5 years to help a bunch of companies bottom lines.

    1. Flocke Kroes Silver badge

      Re: Who decides end of life ?

      Decades ago a small bunch of people refused to buy computer peripherals without a GPL driver. Their numbers grew until they were called long haired communist hippie idealists. When thier numbers continued to grow we got desktop components with GPL drivers and eventually the same happened laptops.

      The current population of electronics buyers includes a large proportion that do not understand the value of what was achieved. D-Link have run a good educational campaign for: "No source code? No purchase."

      Software has a long history of disappointing people who bought based on a promise of what the next version would do. Compelling vendors to do something long after you gave them money does not work. Some will factually claim they never had rights to the source code in the first place.

      You do not have to let your hair grow below your shoulders. Accept that you will be called names anyway and vote with your wallet.

      1. simonlb Silver badge
        FAIL

        Re: Who decides end of life ?

        D-Link have run a good educational campaign for: "No source code? No purchase."

        Sometimes it's also part of the business plan, especially if taken over by private equity scum. When Drobo (remember them?) were taken over by StorCentric back in 2018 I commented anonymously that the asset stripping would commence the following day and they would be gone in three years. It turns out that by early 2020 you couldn't buy anything from them (no stock available), then they went to Chapter 11 Bankruptcy in 2022 and then Chapter 7 Liquidation last year. They hosted all the support docs and KB as 'self support' from then until early this year until www.drobo.com became unavailable.

        1. Anonymous Coward
          Anonymous Coward

          Re: Who decides end of life ?

          www.drobo.com content is available at The Internet Archive. You can even download Drobo's old software installers.

          Makes me feel smug for having bunged the Wayback Machine some moolah recently.

  7. Grunchy Silver badge

    My DNS-323 still runs Alt-F

    I’m sure it doesn’t have any security vulnerabilities but it does have one bulletproof security feature: the damn thing is so slow (and same as my internet bandwidth) that you’ll never live long enough to steal all my data !

  8. Kevin McMurtrie Silver badge
    Mushroom

    A backdoor? Seriously? That sounds like a willful and malicious manufacturing defect.

    Warranties really need to catch up with the age of software. A good start would be that EOL may not begin until customers have the ability modify and replace onboard software.

  9. Tubz Silver badge

    This is why when a product is EOL and the manufacturer no longer supports, it should become open source, if there is anything propriety, then that's just tough cookie dough!

  10. Anonymous Coward
    Anonymous Coward

    Hard coded "backdoor"?

    A hard coded backdoor = front door. There should be a law requiring companies patch anything coded that bad. EOL should not be an excuse.

    1. John Brown (no body) Silver badge

      Re: Hard coded "backdoor"?

      If there was any danger of that coming into law, watch the scramble as companies create separate entities and "sell" them all the old EOL kit/support/etc and leave them with no resource, financial or otherwise before the law can be enacted. Then, if the law actually does get enacted, watch all those new companies suddenly liquidate. All the IP of course will remain with the original parent companies.

  11. FirstTangoInParis Bronze badge

    Build your own ….

    And it will never be EOL. It’s not that expensive either, the biggest cost is the drives themselves. Get a fanless motherboard eg Celeron J series with four SATA ports and a NAS case and you’re in business. Load up with your fave Linux server distro and customise as you wish. Google for RAID settings, Time Machine support and more.

  12. Grogan Silver badge

    Up yours, D-Link. I quit buying your crappy networking products 20 years ago.

    Also, I've never seen a company that uses different chipsets on their hardware and doesn't change names and model numbers. I remembered ordering NICs and sometimes they were Sundance Alta, Via Rhine, Realtek 8139 and one other I can't seem to remember at the moment. I was all WTF, because I thought they were going to be Realtek 8139. OK, I guess I'm pretty happy with the Sundance NICs... wait, now these new ones are VIA Rhine! Bollocks. Yes, it matters when you're trying to use the same kernels on all your boxes and you want them to have the same hardware.

    You try and convince small business customers that the appliance they bought has a shelf life, and they have to buy a new one because the vendor refuses to fix their fuckery.

    1. I could be a dog really Bronze badge

      And the other trick I fell foul of a few years ago was "stackable" switches. So I buy what was then a quite expensive switch (this was the days when hubs were still the norm) on the basis that next year I'll want more ports so will stack an extra unit to it. Well by next year, they have a new model, with a totally different proprietary stacking interface - I was not amused. And it's not like the one I bought was an old model.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like