back to article D-Link tells users to trash old VPN routers over bug too dangerous to identify

Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability. Most of the details about the bug are being kept under wraps given the potential for wide exploitation. The vendor hasn't assigned it a CVE identifier …

  1. rafff

    D-Link does not support open-firmware which voids any warranty

    But we already know that there is no warranty to void - other than that the SW is bad.

  2. Mentat74
    Facepalm

    Our old products are crap and full of security holes that we won't patch...

    Please buy our new products !

    Yeah right... pull the other one...

    Also :

    "Given that all the affected devices went end of life (EOL) and/or end of support (EOS) at various times – most in May 2024"

    How convenient that this particular bug has been discovered so soon...

    1. ComputerSays_noAbsolutelyNo Silver badge
      Joke

      Re: Our old products are crap and full of security holes that we won't patch...

      Will planned insecurity be the new planned obsolence?

      In the past, manufacturers had to tinker with the placement of temperature-sensitive components to ensure that the device dies its intended death after its intended lifetime.

      Nowadays, they can just discover a 11 out of 10 CVE, which - very unfortunately - can not be patched.

      1. Yankee Doodle Doofus Bronze badge

        Re: Our old products are crap and full of security holes that we won't patch...

        Nah, they'll do both. Insecurity alone won't be enough, as way too many people don't care/understand about security.

      2. ecofeco Silver badge

        Re: Our old products are crap and full of security holes that we won't patch...

        You have to ask?

      3. karlkarl Silver badge

        Re: Our old products are crap and full of security holes that we won't patch...

        > planned insecurity

        To be fair, that is the only excuse as to why we aren't all still just running Windows 2000.

    2. chasil

      OpenWRT?

      Will these things run OpenWRT?

      If so, D-Link should provide any keys required to unlock them, technical details, and let the aftermarket tend to itself.

      1. Marty McFly Silver badge
        Megaphone

        Re: OpenWRT?

        Several thoughts...

        1) If they can run OpenWRT, and that mitigates the defect, then the company could update the devices successfully.

        2) If they can run OpenWRT, and that does NOT mitigate the defect, then we are dealing with a new type of vulnerability problem, possibly at the chip or hardware level. Hopefully more industry research will be forthcoming as other devices using the same hardware could be impacted.

        3) If they cannot run OpenWRT, then perhaps these devices were hard coded in such a way to prevent reflashing with 3rd party code....and that hardcoding is also preventing D-Link from updating them. "We are tired of you geeks replacing our wonderful software with better stuff, we will fix you for good!!" And then getting bit by their own device lockout.

      2. rcxb Silver badge

        Re: OpenWRT?

        It does not appear any of the DSR- series is supported by OpenWRT. Though several other D-Link devices are:

        https://openwrt.org/toh/views/toh_available_16128

        That's the #1 thing I check on before buying, so that I don't ever have to throw out working hardware.

        If enough people did the same, there's be significant extra value for the manufacturers to make sure they can offer that "feature" (which costs them practically nothing) when the device is new. At EOL, it's too late to get the manufacturer to do anything to help.

    3. XSV1
      Unhappy

      Re: Our old products are crap and full of security holes that we won't patch...

      Exactly right. They can go and fuck themselves. I will never buy another D-Link product.

    4. Richard Pennington 1
      Facepalm

      Re: Our old products are crap and full of security holes that we won't patch...

      It sounds like an excellent method of getting their customers to buy new product ... from somebody else.

  3. Sudosu Bronze badge

    Good luck

    How many people in the general public buy one of these things and leave it plugged in until it dies?

    If there are still 2015 devices floating around, the ones that EOL'd in 2024 will likely still be around in 2034.

    1. Ball boy Silver badge

      Re: Good luck

      I would imagine the vast majority of consumer-level users have never upgraded firmware in their routers/switches or similar devices. Most will be running whatever version was installed during manufacture unless the device is configured to auto-update or an upgrade was pushed by their ISP.

      Be honest: most people will only ever change the batteries in a smoke alarm because the damn thing beeps. What chance having the same people routinely check their router's firmware?

      1. heyrick Silver badge

        Re: Good luck

        "routinely check their router's firmware"

        It's not out of the realms of possibility to have the router check for itself.

        That being said, a self-checking router is a hell of a lot more likely than there being any new firmware to install.

        I have plenty of devices around with firmware in flash and claims that it can update itself. Well, the first step is to find some of these things even mentioned on the company's website. The second is to have anything that even remotely resembles firmware.

        I think far too often, and maybe for routers too, companies buy in stuff from a Chinese manufacturer and slap their own logo and branding into the thing. They don't care about the firmware as, asides from some simple customisations, that's all they ever did. The manufacturer doesn't care as they've already offloaded the devices to some sucker, and, well, everybody is too busy promoting the latest bit of techno-tat to want to have anything to do with what's already been sold.

        1. abend0c4 Silver badge

          Re: Good luck

          It's not out of the realms of possibility to have the router check for itself.

          Given the propensity for manufacturers to remove features without warning in firmware updates - and prevent you from reverting - that's almost as dangerous.

          1. skswales

            Re: Good luck

            Put a shilling in the meter to continue to use feature X...

        2. chivo243 Silver badge
          Trollface

          Re: Good luck

          My new ISP manages the updates to their gear. I like having someone else to bark at when things don't work.

    2. Press any key

      Re: Good luck

      The ones that went EOL in 2024 aren't just floating about, they're still for sale!

      1. Marty McFly Silver badge
        Facepalm

        Re: Good luck

        https://www.amazon.com/D-Link-Gigabit-Dynamic-Filtering-DSR-250/dp/B008021NSI

        Sold from the "D-link Store" too!

  4. Missing Semicolon Silver badge

    Is there no product liability at all?

    D-Link sold a product that was defective on the day it was made. The fact that the defect has taken years to find does not change that. There is this successfully-promoted idea that software "rots", and so there is no more liability for old software failing than there is for a mechanical product wearing out.

    Never mind "discounts". The default position should be "refund" or "exchange".

    1. Doctor Syntax Silver badge

      Re: Is there no product liability at all?

      100% discount would be acceptable.

    2. The commentard formerly known as Mister_C Silver badge

      Re: Is there no product liability at all?

      over here in the UK we have the "Sale of goods act" for non-commercial sales. If the product was defective then it falls/fails under the category of "not fit for purpose". Anybody who bought one can (or should) return it to the retailer and ask for their money back. Probably have to accept a reduction due to fair wear-and-tear but it's then up to Amazon / ebuyer / $retailer to release the hounds on D-Link. And maybe if this actually happened then tech companies would get their shit into gear and not hide behind the "but this is soooo complicated" excuse. Software companies too....

      </rant>

      1. The commentard formerly known as Mister_C Silver badge

        forgot to say

        There's also the "not of merchantable quality" clause. And (bearing in mind that IANAL) this product probably qualifies.

      2. rafff

        Re: Is there no product liability at all?

        "Anybody who bought one can (or should) return it to the retailer "

        I actually did this once with a buggy compiler. It took a bit of arguing, but s/w does not have wear and tear, so they coughed up. Private/personal sale, natch.

      3. skrutt

        Re: Is there no product liability at all?

        "Sooo complicated!"

        -well then maybe you should change direction of your company and stop trying to make routers. I'd suggest turnips?

        Too bad that legislators don't have any insight on such matters

      4. Chloe Cresswell Silver badge

        Re: Is there no product liability at all?

        "over here in the UK we have the "Sale of goods act" for non-commercial sales." No we don't. The Sales of Goods Act (1979) was replaced with the Consumer Rights Act (2015).

    3. isdnip

      Re: Is there no product liability at all?

      The article's quote mentions D-Link US, so the rules may differ elsewhere. In the US, we have Freedumb, also called Caveat Emptor, and given that 49.98% of voters are suckers for any old grift, that model is profitable enough.

      1. Snapper

        Re: Is there no product liability at all?

        Luckily we are still using some of those nasty EU laws, which gives English consumers 6 years of product coverage from 'wear and tear'. Still not sure why in Scotland it's 5 years, but then they have the Haggis population to regularly slaughter.

        1. AJ MacLeod

          Re: Is there no product liability at all?

          It's the SNP way... do exactly the same as what Westminster does but at least slightly worse or more inefficiently

        2. gnasher729 Silver badge

          Re: Is there no product liability at all?

          No, you don’t get six or five years. You get a “reasonable time” from the date of sales until the defect is found. The repair can take a bit longer. And a device less durable then it should be is defective from day one. But six years is when statute of limitations runs out.

  5. Wolfclaw

    The product isn't what is dangerous, but the badly written code and firmware from these companies, who do the bare minimum for consumer products.

    1. Headley_Grange Silver badge

      True, but they do the bare minimum because most consumers (not people who are reading here) want to spend the bare minimum. It's why printers are cheap and ink is expensive. It's why, on the last flight I took, it was more expensive to put a bag in the hold of an aircraft than it was to put a passenger in a seat.

      1. JimBz

        Running an EOL router is just a very bad idea, whether there are known exploits or not. There's an arms race going on.

      2. MattAvan

        This doesn't make much sense. There is OpenWRT out there, which they could slap on a router and leave the updates to the community if they want. Which some already do partially, like Xiaomi, with streamlining of the UI for noobs. No, they want to spend money developing proprietary and janky firmware even for the cheapest consumer routers. My Netgear router came with a bloated UI that took ten seconds to load and had a huge permanent ad for their app, while subsequently LuCI (OpenWRT) loads in milliseconds on the same device.

        1. skrutt

          Well I mean, IF they put openWRT on it, then it would be good?

          We can't have that, now can we?

          How else would we convince the masses that they need a new one if the old one is good..

        2. williamyf

          OpenWRT does not work on Broadcom Routers, but DD-WRT does, because DD-WRT has certain agreemenst with broadcom that OpenWRT does not.

          https://openwrt.org/meta/infobox/broadcom_wifi

          Similarly, there are routers that OpenWRT supports that DD-WRT does not (Like my own TP-Link PoS). And then, there is the Tomato Family. The open router firmware is an iceberg, that many a HW vendor does not want to navigate...

          Also, there are routers with propiertary firmware, based on things like Windriver OS and other RTOSs that require SIGNIFICANTLY less HW grunt to run.

          In the elden times, and more so with the 4/32 warning (https://openwrt.org/supported_devices/432_warning), many an old router will not be supported by Open FW going forward.

          Finally, many of these vendors will use the Toolkit provided by the SoC provider (redundancy intended) for their propiertary OS. This allows them to esaily deploy a propiertary/"diferentiated" solution, with "knowledgeable" support from the SoC provider. And if there is a security vuln, we the users rip the HW vendor to shreds, but behind the scenes, the HW maker rips the SoC vendor to shreds, and if push comes to shove, sometimes is the SoC vendor will bear part or all the £€¢¥$ cost of the security vuln.

  6. Piro

    Maybe it's similar to the NAS vulnerability

    Where you can include shell commands in a url that get executed, as a create account function passes everything to system

  7. IGotOut Silver badge

    Bullshit...

    Another scumbag company to avoid.

    "D-Link US is prohibited to provide support for these EOL/EOS products, "

    What complete and utter crap. I've never heard such horseshit spew from a marketing droids mouth.

    Shiw me ONE law that says it's illegal to patch end of life product. No? Thought jot

    Many other vendors (including MS) have done it in the past for high vulnerability exploits

    Just another example of all that's fucked up in tech these days

    1. Richard 12 Silver badge

      Re: Bullshit...

      Unfortunately it turns out I'm now prohibited from purchasing anything from D-Link, its subsidiaries and owners until the end of time.

    2. Michael Strorm Silver badge

      Re: Bullshit...

      Only excuse I can think of is that "D-Link US" might be legally and operationally a semi-separate entity which has some contractual arrangement with the main D-Link company that prohibits them from doing do?

      Or then again they might just be a regular subsidiary, and simply using that as an excuse to diffuse the blame for a course of action that doesn't suit D-Link. Or it might be poor wording. Or it might well be bullshit after all.

    3. Snowy Silver badge
      Coat

      Re: Bullshit...

      "D-Link US is prohibited to provide support for these EOL/EOS products, "

      Only prohibited by the cost.

    4. Snapper

      Re: Bullshit...

      I think the word they should use is 'prevented', not 'prohibited'.

      Think about it.

    5. Cliffwilliams44 Silver badge

      Re: Bullshit...

      Not prohibited by law, prohibited by D-Link Inc. Meaning if you call support they will tell you to sod off!

      No different than any other companies EOL products!

      BUT! A lot of "decent" companies would issue an emergency patch for an EOL product if it has a flaw so vulnerable it put a large % of their customer base at risk and distribute it with a prodding to upgrade as soon as possible.

      1. skrutt

        Re: Bullshit...

        I mean, my guess is that there could actually be a law that says that Dlink US must do what the mother company tells.

        So they might be technically correct that Dlink US is prohibited, but Dlink in general is guaranteed not prohibited from setting their own guidelines.

        But I learned 20years ago not to Dlink so..

  8. ecofeco Silver badge
    FAIL

    Not Surprised

    D-Link lost any credibility with me decades ago. First their modems and then their routers.

    1. Mage Silver badge
      Alert

      Re: Not Surprised

      Me also.

      Stopped buying their stuff about 15+ years ago due to it being buggy. You'd turn something like DHCP Server off, add it to LAN as an airpoint and a couple of days later the LAN would break due to DHCP turning back on.

      I've had PCMCIA cards, PC cards (ISA or PCI?), hubs, switches, routers, modems, maybe even a print server (remote serial/Parallel really) etc. I must clear them all out to the Recycle Centre. I've an HP Serial/Ethernet I can use for the old A3+ Roland plotter, should I want to.

    2. hohumladida

      Re: Not Surprised

      D-Link stands for Dead-Link so they are just 'living' up to their name.

  9. Kevin McMurtrie Silver badge

    Lucky me

    I've never gotten anything from D-Link working as advertised so it was immediately returned.

  10. Mitoo Bobsworth

    D for Dud?

    I often wondered what it stood for.

    1. hohumladida

      Re: D for Dud?

      The D is for Dead.

  11. Chris 239

    "FU" D-link US says to ROW...

    The announcement linked says even the pathetic discount offered is only for US residents, apparently the message to the rest of the world is Fcuk You! Maybe adopting the foreign affairs approach of the president elect?

    It's also very unclear about the difference between EOL and EOS (end of service) and when they stop support, surely they can't stop security patch support right after they stop selling them? That should be illegal.

  12. Anonymous Coward
    Anonymous Coward

    I worked for a company in the late 90's that used D-Link 100Mb network cards in their desktop PCs. We discovered they maxed out at about 30Mb. So I swapped them all for intel cards which tripled the speed of the network. Never bought anything from D-Link since.

  13. original_rwg
    Linux

    Router appliance

    I've never used the ISP supplied router as they're always built to a cost. I've also moved away from using an appliance as my router as if it dies (and that has happened before) I'm stuffed. I've now retired the little Fortigate in favour of a small PC with pfSense. Neither of these are for non-technical people but like many people who comment here, I'm not non-technical.

    The Fortigate was great but unfortunately, there is zero support for the second user market either in firmware or feature licences. I know many would say it's overkill for a domestic set up and they might be right but the more robust my security, the more attractive the low-hanging fruit is. Of course if you really want overkill, try out Mikrotik.

    1. Mr. Flibble

      Re: Router appliance

      I've not used pfsense, but it's derivative, opnsense is pretty good for free too.

      It's still nothing compared to Checkpoint or Palo Alto, but then I don't want to pay £10K + permanent subscription at home....

      It's not the easiest to configure some of the more complicated settings, but the GUI is nice, and after a drive (or openbsd upgrade, not sure which) failure, the config restore process worked perfectly.

      I did actually pay for a year of support at the beginningt, which is reasonably priced.

  14. Tflhndn

    D-link = caca

    No surprise that they couldn't care less. Consumer hardware is garbage and should be avoided. Unfortunately, most don't know and/or don't care. Hopefully, anyone affected by this does a little searching and realizes that with a little time and hardware they can run so many different UTM OS'es. OPNsense ftw.

  15. bonkers

    Should we expect perfect forward security?

    I'm sure there's a lot of things D-Link could have done better, like using toolchains and languages that are safe against buffer overflows and other common attack vectors.

    This only makes it a bit better, it is still a small cheap processor facing the whole internet, where bad actors have immense resources, and indefinite time, to construct an attack.

    Using open-source software is almost certainly a better approach, it does normally ensure that the code gets a lot of expert review, but even then it cannot be guaranteed perfect forever - the "forward security" problem. So, it needs remote re-programmability to install patches, updates etc. - and including these features massively increases the attack surface and the potential consequences of a successful attack - like it can totally reprogram itself with hostile code.

    It would seem to be this bit, the over-air-reprogram function, that has the vulnerability in this case, and this code is not reprogrammable, to avoid "bricking" type problems. So, they're stuffed, patches won't work.

    The only approach I know of would be to formally verify the router code, using formal methods - and then remove any reprogrammability function.

    OK it takes longer, costs more, but you end up with an inviolable product that never needs updates.

    It is a big pill to swallow - you can pretty much forget about stack-based languages, unless you can absolutely guarantee stack depth and integrity for all time - to mention just one issue.

    Is it any sort of realistic possibility? I know that very complex software for oil refineries, chemical plants, uses these sorts of methods. I'm guessing the hard allocation of memory means you need more.

    Is it plausible for $50 routers? The volumes they get made in ought to dilute the SW cost down to nothing. Even if the HW cost more, it's a much better product.

    What does the Reg-o-sphere think?

    1. skrutt

      Re: Should we expect perfect forward security?

      Having a slower CPU should actually be better for security, as it cannot prossess as many malicious requests.

      If Dlink was a cool company, with their development process up to snuff, they could just make a patch fixing just this exploit. "Here you go, but we still recommend an update." Then one might actually consider staying with the brand.

      But more than likely, THAT piece of firmware is buried in a closet somewhere and the one employee who knew what was the latest version is long gone.

  16. Herby

    What business is D-Link in??

    If they are in the business of selling hardware, why don't they just make a platform for OpenWRT and leave it at that. It would be kinda like a Computer vendor selling hardware that runs Linux. D-Link would sell hardware and make the proper amount of $$$ on the hardware, and leave the software to someone else. Of course this would eliminate bunches of useless droids that cobble up D-Link software (might save them some money making them redundant), but would be better for the rest of us.

    Probably wishful thinking on my part.

  17. williamyf

    ¿How will the FTC view this, given that their 2018 settlement with D-link regarding security practices is still in vigor?

    https://arstechnica.com/information-technology/2019/07/d-link-agrees-to-new-security-monitoring-to-settle-ftc-charges/

    Who knows...

    PS: ¿Where is the popcorn icon?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like