Remotely Exploitable Vulnerability In All D-Link Gateways in D-Link

Remotely Exploitable Vulnerability In All D-Link Gateways in D-Link http://www.dslreports.com/forum/r16315139 en Thu, 03 Dec 2009 05:52:54 EDT Thu, 03 Dec 2009 05:52:54 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16602739 PRBear8 : Is the VDI-624 also affected? It's basically a DI-624 with custom firmware.

If it is affected, is D-Link working on a patched firmware for it?

Is Verizon aware of the issue and who's responsible if my PC's are attacked as a result of the vulnerability? D-Link or Verizon?]]> http://www.dslreports.com/forum/remark,16602739 Sat, 29 Jul 2006 17:50:35 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16540356 klo : Urm... I forgotten to read the wireless part of your post JTS33...

Yes, if it is UPnP, I would imagine it is also exploitable via wireless - after all, the problem lies in the UPnP feature.

Here's something I found in the forum you might find helpful:
»www.eeye.com/html/research/advis···714.html]]> http://www.dslreports.com/forum/remark,16540356 Thu, 20 Jul 2006 15:30:19 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16540246 klo : Yeah it seems that way - at least from what I've heard / read anyway...]]> http://www.dslreports.com/forum/remark,16540246 Thu, 20 Jul 2006 15:14:58 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16535192 JTS33 : Is the UPnP vulnerability exploitable only to someone who has physical access to the router? (in other words, being able to plug into one of the wired ports).

Or can it be used to compromise the router wirelessly?]]> http://www.dslreports.com/forum/remark,16535192 Wed, 19 Jul 2006 21:04:48 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16532810 klo : I know this might be a bit of a stupid question, but would disabling UPnP on the router mitigate this vulnerability?

(Btw. thanks rseiler, for the link!)]]> http://www.dslreports.com/forum/remark,16532810 Wed, 19 Jul 2006 15:31:36 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16531316 rseiler : Is this it?
»www.eeye.com/html/research/advis···714.html

Given this, it would seem that the problem is all but meaningless for wired routers: "This vulnerability exists on the Local Area Network (LAN) interface of affected D-Link devices. Due to the ease in which one can gain access to the LAN interface of wireless devices, this attack is remote in nature."

Systems Affected:
DI-524 Rev A
DI-524 Rev C
DI-524 Rev D
DI-604 Rev E
DI-624 Rev C
DI-624 Rev D
DI-784 Rev A
EBR-2310 Rev A
WBR-1310 Rev A
WBR-2310 Rev A]]> http://www.dslreports.com/forum/remark,16531316 Wed, 19 Jul 2006 11:54:21 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16506456 Stonecoldtx : Would this perhaps be the Vulnerability?

»www.securityfocus.com/bid/16621

Or, perhaps THIS one, from last year?

»www.securityfocus.com/bid/13679]]> http://www.dslreports.com/forum/remark,16506456 Sat, 15 Jul 2006 16:25:01 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16485660 funchords : This whole thread is horked.

There obviously are two different issues.

The DI-5xx/6xx software architectures are fundamentally different than the 2100AP and it is unlikely that they would share the same bugs or vulnerabilities. ]]> http://www.dslreports.com/forum/remark,16485660 Wed, 12 Jul 2006 14:36:33 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16485630 JTS33 :

said by funchords

said by DLinkSupprt3

:

The routers that could be affected by this are:

DI-524
DI-604
DI-624
DI-784
EBR-2310
WBR-1310
WBR-2310

We have released firmware for the following models:

DI-604 - 3.52
DI-784 - 2.40
EBR-2310 - 1.04

Firmware for the other models is currently being tested. We're not trying to make light of the subject, but the problem found has to do with UPnP, which is a LAN side protocol, so the routers will not be susceptible to WAN side attacks because of it.

I'm sorry, but this is making no sense to me at all.

First, D-Link does not list the 2100ap above.

Second, the exploit mentioned seems to have nothing to do with UPnP.

I'm perfectly willing to end up with egg on my face -- but is D-Link sure that we're talking about the same vulnerability?

-- Robb the Very Confused

The webpage link in the original post doesn't provide any details about the vulnerability except to say that it allows remote code execution. But given the mention of UPnP, it is probably referring to a different vulnerability than the webpage links provided by latinuser_uy concerning the 2100ap.]]> http://www.dslreports.com/forum/remark,16485630 Wed, 12 Jul 2006 14:32:33 EDT Re: New firmware available for DI-624! http://www.dslreports.com/forum/remark,16456751 sir_brizz : WBR-2310 1.02 Beta, stable so far, and fixes exploits mentioned.]]> http://www.dslreports.com/forum/remark,16456751 Sat, 08 Jul 2006 01:13:21 EDT Re: New firmware available for DI-624! http://www.dslreports.com/forum/remark,16455277 JimF : The comparable software for the DI-524 fixes the UPNP reboot issue for me. It is completely stable after 24 hours even with UPNP disabled. But I use it only as an access point, and can not check the other reboot issues, such as P2P or gaming use that require opening ports and may cause reboots with heavy use. And I would avoid Turbo mode with the 624.]]> http://www.dslreports.com/forum/remark,16455277 Fri, 07 Jul 2006 20:23:12 EDT New firmware available for DI-624! http://www.dslreports.com/forum/remark,16455057 anon : Hey have anyone tried the new firmware for DI-624 on the UK D-Link site?

»www.dlink.co.uk/?go=jN7uAYLx/oIJ···bpTNuU6B

For those who have tried it, does it also fix the reboot problem?

I'd love to know as I'm on a slightly older (but very stable) FW at the moment and I'd like to keep my router as stable as possible.

Thanks.]]> http://www.dslreports.com/forum/remark,16455057 Fri, 07 Jul 2006 19:42:47 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16422188 JimF : Yes, I am using 3.20 now. But I have tried 3.02, its original firmware, and it still reboots with UPNP disabled, though not as frequently as with 3.20. In fact, I have gone through all the recent versions of the DI-624 firmware also using paul248's hex editing procedure, including 2.71b11 and 2.59, as well as the Eusso generic firmware and they behave the same way insofar as UPNP is concerned for me. There are other factors that cause reboots too, and you have to un-peel the onion layer by layer. But 3.20 is stable for me now.
]]> http://www.dslreports.com/forum/remark,16422188 Sun, 02 Jul 2006 17:42:17 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16421987 JTS33 :

said by JimF

:

I use my DI-524 C1 as an access point only, with the WAN port disconnected and DHCP turned off, and still get the reboots when UPNP is disabled.

You're running firmware v3.20, right?

With my DI-524 C1,
firmware 3.20 = reboots with UPnP disabled
firmware 3.02 = NO reboots with UPnP disabled

It looks like a firmware issue to me.]]> http://www.dslreports.com/forum/remark,16421987 Sun, 02 Jul 2006 16:46:12 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16419762 JimF :

said by Hofbrau :

"Ironically, disabling UPnP in the router control panel is what causes many DI-624 Rev. C3 to randomly reboot"

It might not be so ironic (or random) after all. It could very well be that disabling UPnP exposes the vulnerability in some manner, which allows incidental Denial of Service conditions to take place, an obvious symptom of which might be resetting of the gateway.

Probably not. I use my DI-524 C1 as an access point only, with the WAN port disconnected and DHCP turned off, and still get the reboots when UPNP is disabled. In fact, the reboots occur even if there is no traffic at all through the DI-524. It is a long-standing problem that predates the discovery of the vulnerability. Yes, I have seen cases where the wrong packet can cause a reboot even of my PC. But I expect this rebooting problem is just due to inadequate testing of the router under non-default conditions, since UPNP is enabled by default. It doesn't say much for their quality control, but I am personally not concerned about the security issue. In fact, it is pretty safe as it is rebooting.]]> http://www.dslreports.com/forum/remark,16419762 Sun, 02 Jul 2006 07:14:17 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16419674 anon : "This Firmware update: DI-604 - 3.52 is for the DI-604 Rev. E. I have the DI-604 Rev. B, is there a Firmware update planned for it as well?"

Great question.

If only D-Link had a security advisory/statement with a FAQ to answer such questions.

Nah, thats expecting too much from them.

Cogitate,
Hofbrau]]> http://www.dslreports.com/forum/remark,16419674 Sun, 02 Jul 2006 06:40:21 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16419671 anon : "Does this mean there is a possiblity that Dlink will update the DI524 Rev d firmware. It is utter garbage your own tech told me so."

Take note of the fact that even though they list the 604 as being "fixed", the firmware update made available only applies to the E revision of the 604. Earlier revisions have no firmware update made available.

You might want to keep that in mind when it comes to your own situation with your 524 Rev D.

Cogitate,
Hofbrau]]> http://www.dslreports.com/forum/remark,16419671 Sun, 02 Jul 2006 06:36:55 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16419660 anon : "It looks like the eEye report, and the reply from DLinkSupprt3 refers to "routers". The post from latinuser_uy refers to the DWL-2100ap, which is of course an access point, though it seems to be loosely referred to as a router also in some of the security reports. So there may be two different vulnerabilities."

Two different vulnerabilities.

The D-Link "tech" essentially confirms it with his statement regarding the vulnerability being related to the UPnP functionality - which isnt in play with the DWL-2100AP report.

"At any rate, they don't list the DI-634M as being affected, and you can turn off UPnP on that without a problem."

Different UPnP IGD 1.0 code modules most likely. There are plenty of vendors of UPnP device code these days, not to mention all the in-house modifications that chipset makers and device vendors can and do make with whatever code they licensed (assuming its licensed, and not completely coded in-house).

"So I am hoping that the fix will allow UPnP to be turned off on the DI-524 as well. We can always hope."

It certainly would be nice if they included a stable mature robust sedure UPnP IGD 1.0 implementation.

Considering all the exposure that Microsoft endured over its own insecure UPnP support code in Windows back in late 2001, youd think a UnP device implementer would "go the extra mile" when it comes to verifying and testing their UPnP code/functionality.

Also, considering that such UPnP code is modular, and available for licensing/usage from several sources/vendors, and considering that eEye only listed D-Link gateways being affected (assuming they tested other vendors popular models), one can reasonably assume that D-link either coded its UPnP IGD module in house, or did in-house modifications to a licensed module from a third party.

Either way, it doesnt bode well for D-Link's in-house firmware engineering and development.

Cogitate,
Hofbrau]]> http://www.dslreports.com/forum/remark,16419660 Sun, 02 Jul 2006 05:44:55 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16419626 anon : "I'm sorry, but this is making no sense to me at all."

I bet it doesnt.

Its what happens when one doesnt read (in this case the original post).

"First, D-Link does not list the 2100ap above."

Ayup. Its not gateway. Its a wireless access point. As such, it wouldnt need UPnP IGD (Internet Gateway Device) 1.0 support, since, its not a gateway. It could have UPnP WLAN Wireless Access Point 1.0 support, or even UPnP Basic Device 1.0 support, but, it doesnt.

Its not a gateway, and it doesnt have UPnP device support of any kind.

One might consider these additional "clues" that one apparently didnt bother reading the original post, or the content at the referenced link, or, didnt comprehend that the second post contains links to a different vulnerability.

"Second, the exploit mentioned seems to have nothing to do with UPnP."

Perhaps you should have read the original post, and not the second post, for details (as minimally provided) about the vulnerability.

Nothing in the provided "details" would exclude UPnP in any way, and would in fact include it, considering that the vulnerability is remotely exploitable, and UPnP IGD 1.0 is a "remotely accessible" service.

Reading - it works.

Cogitate,
Hofbrau]]> http://www.dslreports.com/forum/remark,16419626 Sun, 02 Jul 2006 05:25:07 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16419612 anon : "Ironically, disabling UPnP in the router control panel is what causes many DI-624 Rev. C3 to randomly reboot"

It might not be so ironic (or random) after all. It could very well be that disabling UPnP exposes the vulnerability in some manner, which allows incidental Denial of Service conditions to take place, an obvious symptom of which might be resetting of the gateway.

Virtually every vulnerability that allows for command execution, also allows for lower level DoS attacks in terms of exploitation.

You'll notice the tech never recommended disabling UPnP, which would be an obvious recommendation to make for an affected component/function, in general.

Could it be that the reason he didnt, is because doing so exposes the vulnerability?

I guess we'll never know until either eEye or D-Link issues a detailed advisory...

Its nice to know they both have our security in mind, by denying us information (or beta firmware updates still being tested) that would allow us to mitigate the vulnerability and/or reduce our exposure, and allow us to make (somewhat) informed decisions about products we own and use.

Cogitate,
Hofbrau]]> http://www.dslreports.com/forum/remark,16419612 Sun, 02 Jul 2006 05:11:03 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16419600 anon : "We have released firmware for the following models:

DI-604 - 3.52
DI-784 - 2.40
EBR-2310 - 1.04"

Thats..somewhat..useful.

Handy if you have a 784 or a 2310 - but what if you have one of the 5 major revisions of the 604?

You dont mention which revisions that firmware update is appropriate for.

Could it be because you dont know? Could it be because D-Link simply doesnt want to offer a security update for the older revisions? Could it be because they arent affected?

Hey, you know what would be a really neato idea?

You should issue some sort of press release/security advisory to the public, via any/all of your global domains, with general and specific information about the security vulnerability (such as the nature of the vulnerability, which models/revisions are affected), a firmware update release schedule, with links to already released firmware updates, etc.

Hey, I just thought that up all by myself.

I must be pretty neato cool, considering I dont have global revenues of 1 billion USD (as of 2005), with offices in over 90 countries, yet, I was somehow able to type up the original post in an attempt to inform the public and current customers so that they might be able to make (somewhat) informed decisions about usage/purchase of D-Link gateway products.

Just think about the level of support I could offer on this issue if I had several different web domains with a global pre3ence in over 90 countries and revenues exceeding 1 billion USD (in 2005)....

Hmm.

"Firmware for the other models is currently being tested."

Well, thats good. I wouldnt want you to release a security update too soon without appropriate testing.

Considering that you were informed at one time about all the different (known) models affected, and considering that you already released updates for some models/revisions, and not for others, we can rest assured that obviously adequate testing was done on the already released firmware updates.

One doesnt need to wonder about the testing quality for the updates already released.

And surely one doesnt have to wonder if perhaps D-Link didnt bother testing all the models potentially at risk when initially informed, but rather got around to testing additional models for the vulnerability weeks/months later, thus once again demonstrating how competent the D-link firmware engineers are, and how seriously D-Link takes security, especially for products sold in part as security devices.

And surely, no customer would want to perhaps be able to download the "secured" and "fixed" firmware as an unsupported "beta" for those models while D-Link spends more time "testing" the quality of the "fix".

Nah. What customer would want to be secure sooner rather than later, even with an unsupported firmware release? That would make people think D-Link took security seriously (for its part-security devices), and we couldnt have that.

"We're not trying to make light of the subject, but the problem found has to do with UPnP, which is a LAN side protocol, so the routers will not be susceptible to WAN side attacks because of it."

I sure hope its the same problem as indicated by the eEye security advisory. If it isnt, that would just be another reason to take D-Link seriously when it comes to security.

So, considering your statement that the vulnerability exists in the UPnP functionality, wouldnt it seem prudent then, to advise customers to disable UPnP functionality in the affected gateway models, so as to mitigate and/or eliminate the exploit vector, at least temporarily?

And considering that no details of the vulnerability have been provided/specified, how do we know that the nature of the bug/flaw isnt exploitable directly from the WAN side?

Oh, right, we dont, because the hour or two (max) it might take to issue a press release/advisory/statement about the vulnerability, the affected models/revisions, the available firmware updates, and any mitigating steps users can take in the meantime, etc, is apparently too much to handle for a company with over 1 billion USD in global revenues.

Have you folks considered hiring a PR Manager? Perhaps a Product Security Manager or similar?

If you want, I'll write up a quick security advisory/press release for you, and you can put it up on all of your global web domains.

That way, you can avoid bad PR...oops. Too late.

Well, there's always professional pride...or not.

Cogitate,
Hofbrau]]> http://www.dslreports.com/forum/remark,16419600 Sun, 02 Jul 2006 04:59:29 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16417583 computerman2 : I have a D-Link 524 Rev C, and Family uses wireless to do banking is this still safe? should i try disabling UPnP, and see what happens, want these PC's as secure as possible since Family members do banking, bill payment and such. I'm wired up to the router, but can't wire the other machines, but if forced to wire, then i'm going back to my Netgear router.

Zonealarm is on all of theres up there, mine is wired to it

Anything i can do to make this router more secure until Firmwire is updated if it is ever]]> http://www.dslreports.com/forum/remark,16417583 Sat, 01 Jul 2006 18:58:14 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16416959 anon : I've always had UPnP disabled in my DI-524 rev.A and have never had any problems.]]> http://www.dslreports.com/forum/remark,16416959 Sat, 01 Jul 2006 16:35:19 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16416038 neek :

said by DLinkSupprt3

:

We have released firmware for the following models:

DI-604 - 3.52
DI-784 - 2.40
EBR-2310 - 1.04

Firmware for the other models is currently being tested. We're not trying to make light of the subject, but the problem found has to do with UPnP, which is a LAN side protocol, so the routers will not be susceptible to WAN side attacks because of it.

This Firmware update: DI-604 - 3.52 is for the DI-604 Rev. E. I have the DI-604 Rev. B, is there a Firmware update planned for it as well?]]> http://www.dslreports.com/forum/remark,16416038 Sat, 01 Jul 2006 12:56:54 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16413711 JB2001 : Yeah, but as I've noticed for years in many organizations, the folks who answer the phones are rarely the developers. In my experience, the support group is almost never even in the same branch of the organization as development, so there's little incentive to make the tech support person's job any easier. Doesn't look like Dlink is any exception.]]> http://www.dslreports.com/forum/remark,16413711 Fri, 30 Jun 2006 23:31:42 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16409239 JimF : What I find curious is that a lot of the problems continue from one generation of hardware to the next. The UPNP stability issue is one well-known example. They obviously reuse as much of the code as possible. There is nothing wrong with that when it works. But they are only generating more support calls for themselves when the same problems reoccur time after time. ]]> http://www.dslreports.com/forum/remark,16409239 Fri, 30 Jun 2006 11:04:01 EDT Re: Off topic --- question http://www.dslreports.com/forum/remark,16409149 CdTriX : BTW i'm no longer with D-Link =) woo hoo =)

yeah.. i've seen a few techs browse the DSLreports website and this forum actually... it's a lot more informative when someone smart actually calls...

I was one of the good techs... i always solved cases.. and i knew what i was doing...

i got a lot of.. thank god you speak english.. wow someone that knows what's going on.. stuff like that...

trust me... once you've done the training.. you hit a brick wall.. on d-link products.. you come here when you want specific info.. people that actually do the testing and is accessible by everyone... and we don't get info on new stuff.

back when before we could send links to people... i use to remember a specific fix for a specific issue and send the customer to the link.

but you guys don't need my help... i'm level 1 and 2 support and most of you guys are beyond that... i just help the joe shomes that can't setup their stuff]]> http://www.dslreports.com/forum/remark,16409149 Fri, 30 Jun 2006 10:46:40 EDT Re: Off topic --- question http://www.dslreports.com/forum/remark,16407732 funchords : D-Link Support (the corporate guys, not the Level-X techs) seems to have the attitude that ... "hey, it's a low-dollar item, what kind of support to they expect for free."

What they fail to realize is that great support begets brand loyalty in spades. Likewise, bad support creates brand avoidance.

Personally, I'm glad the good Techs read this board. This has to be one of the best resources covering the very products they support.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
~ Keeper of the D-Link FAQ ~ Did you Search? ~ More features, Free! Join BBR! ~]]> http://www.dslreports.com/forum/remark,16407732 Fri, 30 Jun 2006 02:33:51 EDT Re: Off topic --- question http://www.dslreports.com/forum/remark,16402471 CdTriX : Yeah, there's a lot of models that aren't sold in the typical "bestbuy" and "Circuit City" main stores... most are special order or even only available through the D-Link shop.. Someone called about the DSM-520RD... which is the HD version of the DSM-320.. we weren't even briefed on it and someone already called in... DI-624S, and a whole bunch of stuff.... DSM-600 ( the network storage device ), none of these were released to the retail stores yet people have them... but that'd D-Stink for you =)

and trust me.. if there is a vulnerability and you guys on dslreports knows about it.. D-Link is just finding out about it now after reading the forums... i don't think we even get emails about this stuff... same thing goes for the DSM600.. where you needed level 3 for the firmware... level 1 and 2 would be... what firmware? and will deny you the transfer to level 3 for that firmware. they don't tell techs anything....

anyways... ]]> http://www.dslreports.com/forum/remark,16402471 Thu, 29 Jun 2006 12:46:51 EDT Re: Off topic --- question http://www.dslreports.com/forum/remark,16399968 funchords :
said by braynes :

It is a Dual wan router and I obtain it from amazon. It works very well.
Bruce

Thanks! That's a new model# to me.]]> http://www.dslreports.com/forum/remark,16399968 Thu, 29 Jun 2006 00:58:50 EDT Re: Off topic --- question http://www.dslreports.com/forum/remark,16392886 braynes : It is a Dual wan router and I obtain it from amazon. It works very well.
Bruce]]> http://www.dslreports.com/forum/remark,16392886 Wed, 28 Jun 2006 04:59:55 EDT Off topic --- question http://www.dslreports.com/forum/remark,16392573 funchords :
said by braynes :

When you say DI-604's does that include the DI-LB604?
Thank you
Bruce

What is this and where did you obtain it?]]> http://www.dslreports.com/forum/remark,16392573 Wed, 28 Jun 2006 02:22:11 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16390696 braynes : When you say DI-604's does that include the DI-LB604?
Thank you
Bruce]]> http://www.dslreports.com/forum/remark,16390696 Tue, 27 Jun 2006 21:00:10 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16386380 anon : Quote Dlink Support
"The routers that could be affected by this are:

DI-524
DI-604
DI-624
DI-784
EBR-2310
WBR-1310
WBR-2310

We have released firmware for the following models:

DI-604 - 3.52
DI-784 - 2.40
EBR-2310 - 1.04

Firmware for the other models is currently being tested. We're not trying to make light of the subject, but the problem found has to do with UPnP, which is a LAN side protocol, so the routers will not be susceptible to WAN side attacks because of it.
----------------------------------------------------------

Does this mean there is a possiblity that Dlink will update the DI524 Rev d firmware. It is utter garbage your own tech told me so.]]> http://www.dslreports.com/forum/remark,16386380 Tue, 27 Jun 2006 10:26:02 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16356905 JimF : It looks like the eEye report, and the reply from DLinkSupprt3 refers to "routers". The post from latinuser_uy refers to the DWL-2100ap, which is of course an access point, though it seems to be loosely referred to as a router also in some of the security reports. So there may be two different vulnerabilities. At any rate, they don't list the DI-634M as being affected, and you can turn off UPnP on that without a problem. So I am hoping that the fix will allow UPnP to be turned off on the DI-524 as well. We can always hope.]]> http://www.dslreports.com/forum/remark,16356905 Thu, 22 Jun 2006 21:04:30 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16356212 funchords :
said by DLinkSupprt3 :

The routers that could be affected by this are:

DI-524
DI-604
DI-624
DI-784
EBR-2310
WBR-1310
WBR-2310

We have released firmware for the following models:

DI-604 - 3.52
DI-784 - 2.40
EBR-2310 - 1.04

Firmware for the other models is currently being tested. We're not trying to make light of the subject, but the problem found has to do with UPnP, which is a LAN side protocol, so the routers will not be susceptible to WAN side attacks because of it.

I'm sorry, but this is making no sense to me at all.

First, D-Link does not list the 2100ap above.

Second, the exploit mentioned seems to have nothing to do with UPnP.

I'm perfectly willing to end up with egg on my face -- but is D-Link sure that we're talking about the same vulnerability?

-- Robb the Very Confused
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
~ Keeper of the D-Link FAQ ~ Did you Search? ~ More features, Free! Join BBR! ~]]> http://www.dslreports.com/forum/remark,16356212 Thu, 22 Jun 2006 19:19:50 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16354304 JTS33 :
said by DLinkSupprt3 :

the problem found has to do with UPnP
Ironically, disabling UPnP in the router control panel is what causes many DI-624 Rev. C3 to randomly reboot.]]> http://www.dslreports.com/forum/remark,16354304 Thu, 22 Jun 2006 14:31:51 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16354185 joe_dude : DLinkSupprt3, thanks for the update.

IMHO, unlike regular users, I think it helps to let us know what's going on, so we all don't switch to another brand tomorrow. ;)]]> http://www.dslreports.com/forum/remark,16354185 Thu, 22 Jun 2006 14:16:36 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16354153 Foxbat121 : Glad to see good old Hofbrau hasn't changed a bit.]]> http://www.dslreports.com/forum/remark,16354153 Thu, 22 Jun 2006 14:10:05 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16354152 joe_dude : Linksys? Not!]]> http://www.dslreports.com/forum/remark,16354152 Thu, 22 Jun 2006 14:09:56 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16353769 Anonymous_ : um glade to have my linksys]]> http://www.dslreports.com/forum/remark,16353769 Thu, 22 Jun 2006 13:24:19 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16353634 DLinkSupprt3 : The routers that could be affected by this are:

DI-524
DI-604
DI-624
DI-784
EBR-2310
WBR-1310
WBR-2310

We have released firmware for the following models:

DI-604 - 3.52
DI-784 - 2.40
EBR-2310 - 1.04

Firmware for the other models is currently being tested. We're not trying to make light of the subject, but the problem found has to do with UPnP, which is a LAN side protocol, so the routers will not be susceptible to WAN side attacks because of it.
--
D-Link Building Networks for People]]> http://www.dslreports.com/forum/remark,16353634 Thu, 22 Jun 2006 13:06:27 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16353390 joe_dude : So what happens to other users that have older versions of routers or in different countries?

This could be seriously bad...!]]> http://www.dslreports.com/forum/remark,16353390 Thu, 22 Jun 2006 12:34:09 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16351651 latinuser_uy : HI,
I tested the dwl-2100ap vulnerability, from an unauthenticated browser, tried the url »ip-of-my-dwl2100ap/cgi-bin/config.cfg

I got a config file for download. It contained the wireless key in plain text format, plus the "admin" key in plain text, among other configuration stuff.

Then I tried »ip-of-my-dwl2100ap/cgi-bin/nada.cfg and toto.cfg : same results.

HW DWL-2100AP
FW 2.00

I'm using the DWL-2100ap in AP mode, WPA-PSK. From the PC I was running the browser from, I had another browser which had an expired session (up from yesterday night) to the DWL-2100ap (the 2100ap would ask me for user/password as soon as I click on any option). I'll try again doing this first thing after rebooting my computer. I guess that's going to be after I come back from the office.

There seems to be a 2.2 fw for the dwl2100ap from some non-us site, has anyone tried that one?

Regards.]]> http://www.dslreports.com/forum/remark,16351651 Thu, 22 Jun 2006 07:38:36 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16351254 anon : "I am also at a loss in finding the patched firmware for the DI-784 anywhere on the Dlink site. Please advise where we can obtain it."

The D-Link tech may be implying that the 2.40 firmware dated as of 3/22/06 fixes the vulnerability.

»support.dlink.com/products/view.···DI%2D784

It does in fact list as the first item "Fixed DOS issue".

(They meant "DoS issue", though, if they took this seriously at all, they would have typed out "Denial-of-Service Security Issue" to be a little more clear. However, thats a minimization of the actual vulnerability which is in fact remotely exploitable and allows for complete system takeover, assuming its the same security issue at all that its referring to. Its not like they have provided any specific documentation or details about the problem/patch.)

Surely, you didnt expect him to come right out and tell you which firmware version for which model/revision addresses the issue, did you?

I mean, that would be like, useful support, like, and stuff.

If they were like to do like that, you might like get the idea like that they like take this security stuff like seriously dude.

Cogitate,
Hofbrau]]> http://www.dslreports.com/forum/remark,16351254 Thu, 22 Jun 2006 03:05:54 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16351228 anon : "I could not reproduce this on my DI-624 using the steps in »www.intruders.com.br/adv0206en.html ...

The alledged output file format is also very usual for that type of router.

Can anyone?"

I sure hope no one can, since the vulnerability listed there was pretty specific to the DWL-2100 AP.

I know I cant.

Perhaps because they are two different vulnerabilities, with two different advisories?

Reading works - really.

Perhaps more time should be spent honing up the reading skills rather than apologism and minimization skills, but, that would probably only result in more time spent ambiguously and ignorantly (and amusingly) naysaying the "NAT Traversal" aspect of the UPnP IGD 1.0 specification under the general idea of "UPnP is insecure".

Cogitate,
Hofbrau]]> http://www.dslreports.com/forum/remark,16351228 Thu, 22 Jun 2006 02:48:02 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16351183 anon : "So would someone from D-Link please list the affected gateway/routers!!!!!"

Notice the supposed D-Link tech didn't list the affected gateway models - only the ones (3..with no qualifications for different revisions for the same model such as the 604) with supposedly "patched" firmware updates.

Considering the lack of communication from D-Link preceding this posting, and from D-Link within this thread, you must assume that every current/recent gateway model is vulnerable.

"Looking at the description of the new DI-604 firmware, it's a fix for a DoS attack? I thought it was more serious than that...."

D-Link is minimizing the extent and nature of the remotely exploitable vulnerability that allows for complete system subjugation of every gateway model they produce/produced?

This would be the same flaw that they have yet to officially and publicly acknowledge of their own accord in any significant and specific and detailed manner, right? (That might be considered minimization as well..perhaps?)

They are clearly taking this seriously, what with the way they have considerately allowed their users to continue to use their extremely vulnerable insecure gateway products none-the-wiser, with no workarounds or mitigation steps being provided or offered.

You can see how seriously they are taking this what with the way they offered a patched firmware for Revision E 604s, but not for any of the earlier revisions. Hey, I know, only the E revision of the 604 is affected, you can read the details about it in their security advisory...oops...what advisory? Never mind.

Nothing like issuing a patch for some revisions of some gateway models for a security vulnerability that exists (apparently) in all revisions of all gateway models, without a security advisory to accompany it to explain the details.

Who says they dont care about or take seriously security?

Surprised?

I know I am.

Cogitate,
Hofbrau]]> http://www.dslreports.com/forum/remark,16351183 Thu, 22 Jun 2006 02:27:14 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16351096 ozzy_0 : I am also at a loss in finding the patched firmware for the DI-784 anywhere on the Dlink site. Please advise where we can obtain it.]]> http://www.dslreports.com/forum/remark,16351096 Thu, 22 Jun 2006 01:49:43 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16350817 funchords : I could not reproduce this on my DI-624 using the steps in »www.intruders.com.br/adv0206en.html ...

The alledged output file format is also very usual for that type of router.

Can anyone?]]> http://www.dslreports.com/forum/remark,16350817 Thu, 22 Jun 2006 00:46:20 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16350375 joe_dude : Woah! How did this fly under the radar?!?

So would someone from D-Link please list the affected gateway/routers!!!!!

Looking at the description of the new DI-604 firmware, it's a fix for a DoS attack? I thought it was more serious than that....]]> http://www.dslreports.com/forum/remark,16350375 Wed, 21 Jun 2006 23:25:29 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16343171 jbob :
said by DLinkSupprt3 :

Although there has been no official notification, we have released firmware for a few of the affected router models that fixes this vulnerability. The models with firmware posted on our support site are the DI-604, DI-784, and EBR-2310. For the models that a fix has not yet been released, we are currently in the process of testing firmwares and will be releasing them as soon as they are ready.

I have a DI-784 but the current firmware on the site hasn't changed since v2.40, 3/22/2006. Surely this is not a release for the 784 that fixes the vulnerability. Unless the fixed firmware is at another location on the site...Beta??]]> http://www.dslreports.com/forum/remark,16343171 Tue, 20 Jun 2006 23:34:13 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16342927 michaelr7 : DLinkSupprt3,

Is a list of affected router models available so that users may take precautions until a firmware with the fix is available? If not the only recourse is to pull all D-Link devices from our/our clients networks.
--
Tucson, AZ (W) - Sedona, AZ (H)]]> http://www.dslreports.com/forum/remark,16342927 Tue, 20 Jun 2006 22:54:37 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16341912 DLinkSupprt3 : Although there has been no official notification, we have released firmware for a few of the affected router models that fixes this vulnerability. The models with firmware posted on our support site are the DI-604, DI-784, and EBR-2310. For the models that a fix has not yet been released, we are currently in the process of testing firmwares and will be releasing them as soon as they are ready.
--
D-Link Building Networks for People]]> http://www.dslreports.com/forum/remark,16341912 Tue, 20 Jun 2006 20:31:06 EDT Re: Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16338772 latinuser_uy : I saw this one about the DWL-2100ap (havent tested it myself):

»www.intruders.com.br/adv0206en.html
»www.securitytracker.com/alerts/2···234.html

SecurityTracker Alert ID: 1016234
SecurityTracker URL: »securitytracker.com/id?1016234
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Jun 6 2006
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes
Version(s): D-Link DWL-2100ap; firmware version 2.10na
Description: A vulnerability was reported in the D-Link DWL-2100ap wireless router. A remote user can obtain sensitive information from the target device.

A remote user can directly request files in the '/cgi-bin/' directory with a '.cfg' file extension to obtain the device configuration.

A demonstration exploit URL is provided:

»[target]/cgi-bin/Intruders.cfg

Wendel Guglielmetti Henrique and the Intruders Tiger Team Security discovered this vulnerability.

The original advisory is available at:

»www.intruders.com.br/adv0206en.html
Impact: A remote user can obtain the device configuration, including password information.
Solution: The vendor has reportedly issued a firmware patch, available at:

»www.dlink.com.br/internet/downlo···0343.tfp
Vendor URL: www.dlink.com/ (Links to External Site)
Cause: Access control error

Message History: None.]]> http://www.dslreports.com/forum/remark,16338772 Tue, 20 Jun 2006 13:03:01 EDT Remotely Exploitable Vulnerability In All D-Link Gateways http://www.dslreports.com/forum/remark,16315139 anon : »www.eeye.com/html/Research/Upcom···dex.html

Vendor: D-Link
Severity: High (Remote Code Execution)
Date Reported: February 27, 2006
Days Since Initial Report: 109

Date Reported:
February 27, 2006

Vendor: D-Link

Description: A vulnerability in D-Link routers allows for code execution and the compromise of the router.

Severity: High (Remote Code Execution)

Software Affected: D-Link firmware

D-Link were notificd back in February, and nary a word or firmware update has been made available to address this issue.

This vulnerability apparently affects all (or several) gateway models.

It does allow remote code execution, which means complete control over the gateway (and any/all network traffic/data).

Due to eEye's adherence to "responsible disclosure" protocols for security vulnerabilities, specific details are not available, and, therefore, users and admins networks/connections are left completely at risk.

That means that aside from replacing (permanently or temporarily) the D-Link gateway, nothing can be knowingly done to prevent exploitation.

Users should be aware continued usage of any/all D-Link gateways models puts their networks/internet connections at risk of complete compromise, until such time as firmware updates are released thart specifically address this critical vulnerability.

Cogitate,
Hofbrau]]> http://www.dslreports.com/forum/remark,16315139 Fri, 16 Jun 2006 14:08:24 EDT