JimF
join:2003-06-15
Allentown, PA
| reply to funchords
Re: Remotely Exploitable Vulnerability In All D-Link Gateways
It looks like the eEye report, and the reply from DLinkSupprt3 refers to "routers". The post from latinuser_uy refers to the DWL-2100ap, which is of course an access point, though it seems to be loosely referred to as a router also in some of the security reports. So there may be two different vulnerabilities. At any rate, they don't list the DI-634M as being affected, and you can turn off UPnP on that without a problem. So I am hoping that the fix will allow UPnP to be turned off on the DI-524 as well. We can always hope. |
|
524DJunk
@rr.com
| Quote Dlink Support
"The routers that could be affected by this are:
DI-524
DI-604
DI-624
DI-784
EBR-2310
WBR-1310
WBR-2310
We have released firmware for the following models:
DI-604 - 3.52
DI-784 - 2.40
EBR-2310 - 1.04
Firmware for the other models is currently being tested. We're not trying to make light of the subject, but the problem found has to do with UPnP, which is a LAN side protocol, so the routers will not be susceptible to WAN side attacks because of it.
----------------------------------------------------------
Does this mean there is a possiblity that Dlink will update the DI524 Rev d firmware. It is utter garbage your own tech told me so. |
|
braynes
Premium
join:2005-03-14
Waterville, ME | reply to DLinkSupprt3
When you say DI-604's does that include the DI-LB604?
Thank you
Bruce |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
 ·Verizon Online DSL
 ·Skype
| Off topic --- question
said by braynes  :When you say DI-604's does that include the DI-LB604? Thank you Bruce What is this and where did you obtain it? |
|
braynes
Premium
join:2005-03-14
Waterville, ME | It is a Dual wan router and I obtain it from amazon. It works very well.
Bruce |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| said by braynes :It is a Dual wan router and I obtain it from amazon. It works very well. Bruce Thanks! That's a new model# to me. |
|
CdTriX
join:2005-04-25
Mississauga, ON
| Yeah, there's a lot of models that aren't sold in the typical "bestbuy" and "Circuit City" main stores... most are special order or even only available through the D-Link shop.. Someone called about the DSM-520RD... which is the HD version of the DSM-320.. we weren't even briefed on it and someone already called in... DI-624S, and a whole bunch of stuff.... DSM-600 ( the network storage device ), none of these were released to the retail stores yet people have them... but that'd D-Stink for you =)
and trust me.. if there is a vulnerability and you guys on dslreports knows about it.. D-Link is just finding out about it now after reading the forums... i don't think we even get emails about this stuff... same thing goes for the DSM600.. where you needed level 3 for the firmware... level 1 and 2 would be... what firmware? and will deny you the transfer to level 3 for that firmware. they don't tell techs anything....
anyways... |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| D-Link Support (the corporate guys, not the Level-X techs) seems to have the attitude that ... "hey, it's a low-dollar item, what kind of support to they expect for free."
What they fail to realize is that great support begets brand loyalty in spades. Likewise, bad support creates brand avoidance.
Personally, I'm glad the good Techs read this board. This has to be one of the best resources covering the very products they support.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
~ Keeper of the D-Link FAQ ~ Did you Search? ~ More features, Free! Join BBR! ~ |
|
CdTriX
join:2005-04-25
Mississauga, ON
| reply to CdTriX
BTW i'm no longer with D-Link =) woo hoo =)
yeah.. i've seen a few techs browse the DSLreports website and this forum actually... it's a lot more informative when someone smart actually calls...
I was one of the good techs... i always solved cases.. and i knew what i was doing...
i got a lot of.. thank god you speak english.. wow someone that knows what's going on.. stuff like that...
trust me... once you've done the training.. you hit a brick wall.. on d-link products.. you come here when you want specific info.. people that actually do the testing and is accessible by everyone... and we don't get info on new stuff.
back when before we could send links to people... i use to remember a specific fix for a specific issue and send the customer to the link.
but you guys don't need my help... i'm level 1 and 2 support and most of you guys are beyond that... i just help the joe shomes that can't setup their stuff |
|
JimF
join:2003-06-15
Allentown, PA
| reply to Hofbrau
Re: Remotely Exploitable Vulnerability In All D-Link Gateways
What I find curious is that a lot of the problems continue from one generation of hardware to the next. The UPNP stability issue is one well-known example. They obviously reuse as much of the code as possible. There is nothing wrong with that when it works. But they are only generating more support calls for themselves when the same problems reoccur time after time. |
|
JB2001
join:2003-09-20
Columbia, SC
| Yeah, but as I've noticed for years in many organizations, the folks who answer the phones are rarely the developers. In my experience, the support group is almost never even in the same branch of the organization as development, so there's little incentive to make the tech support person's job any easier. Doesn't look like Dlink is any exception. |
|
neek
join:2005-06-20
Bakersfield, CA
1 edit | reply to DLinkSupprt3
said by DLinkSupprt3 :We have released firmware for the following models: DI-604 - 3.52 DI-784 - 2.40 EBR-2310 - 1.04 Firmware for the other models is currently being tested. We're not trying to make light of the subject, but the problem found has to do with UPnP, which is a LAN side protocol, so the routers will not be susceptible to WAN side attacks because of it. This Firmware update: DI-604 - 3.52 is for the DI-604 Rev. E. I have the DI-604 Rev. B, is there a Firmware update planned for it as well? |
|
2lazy2register
@pacbell.net | reply to JimF
I've always had UPnP disabled in my DI-524 rev.A and have never had any problems. |
|
computerman2
Premium
join:2002-04-20
Rockwood, MI
·AT&T Midwest
2 edits | I have a D-Link 524 Rev C, and Family uses wireless to do banking is this still safe? should i try disabling UPnP, and see what happens, want these PC's as secure as possible since Family members do banking, bill payment and such. I'm wired up to the router, but can't wire the other machines, but if forced to wire, then i'm going back to my Netgear router.
Zonealarm is on all of theres up there, mine is wired to it
Anything i can do to make this router more secure until Firmwire is updated if it is ever |
|
Hofbrau
@rr.com
| reply to DLinkSupprt3
"We have released firmware for the following models:
DI-604 - 3.52
DI-784 - 2.40
EBR-2310 - 1.04"
Thats..somewhat..useful.
Handy if you have a 784 or a 2310 - but what if you have one of the 5 major revisions of the 604?
You dont mention which revisions that firmware update is appropriate for.
Could it be because you dont know? Could it be because D-Link simply doesnt want to offer a security update for the older revisions? Could it be because they arent affected?
Hey, you know what would be a really neato idea?
You should issue some sort of press release/security advisory to the public, via any/all of your global domains, with general and specific information about the security vulnerability (such as the nature of the vulnerability, which models/revisions are affected), a firmware update release schedule, with links to already released firmware updates, etc.
Hey, I just thought that up all by myself.
I must be pretty neato cool, considering I dont have global revenues of 1 billion USD (as of 2005), with offices in over 90 countries, yet, I was somehow able to type up the original post in an attempt to inform the public and current customers so that they might be able to make (somewhat) informed decisions about usage/purchase of D-Link gateway products.
Just think about the level of support I could offer on this issue if I had several different web domains with a global pre3ence in over 90 countries and revenues exceeding 1 billion USD (in 2005)....
Hmm.
"Firmware for the other models is currently being tested."
Well, thats good. I wouldnt want you to release a security update too soon without appropriate testing.
Considering that you were informed at one time about all the different (known) models affected, and considering that you already released updates for some models/revisions, and not for others, we can rest assured that obviously adequate testing was done on the already released firmware updates.
One doesnt need to wonder about the testing quality for the updates already released.
And surely one doesnt have to wonder if perhaps D-Link didnt bother testing all the models potentially at risk when initially informed, but rather got around to testing additional models for the vulnerability weeks/months later, thus once again demonstrating how competent the D-link firmware engineers are, and how seriously D-Link takes security, especially for products sold in part as security devices.
And surely, no customer would want to perhaps be able to download the "secured" and "fixed" firmware as an unsupported "beta" for those models while D-Link spends more time "testing" the quality of the "fix".
Nah. What customer would want to be secure sooner rather than later, even with an unsupported firmware release? That would make people think D-Link took security seriously (for its part-security devices), and we couldnt have that.
"We're not trying to make light of the subject, but the problem found has to do with UPnP, which is a LAN side protocol, so the routers will not be susceptible to WAN side attacks because of it."
I sure hope its the same problem as indicated by the eEye security advisory. If it isnt, that would just be another reason to take D-Link seriously when it comes to security.
So, considering your statement that the vulnerability exists in the UPnP functionality, wouldnt it seem prudent then, to advise customers to disable UPnP functionality in the affected gateway models, so as to mitigate and/or eliminate the exploit vector, at least temporarily?
And considering that no details of the vulnerability have been provided/specified, how do we know that the nature of the bug/flaw isnt exploitable directly from the WAN side?
Oh, right, we dont, because the hour or two (max) it might take to issue a press release/advisory/statement about the vulnerability, the affected models/revisions, the available firmware updates, and any mitigating steps users can take in the meantime, etc, is apparently too much to handle for a company with over 1 billion USD in global revenues.
Have you folks considered hiring a PR Manager? Perhaps a Product Security Manager or similar?
If you want, I'll write up a quick security advisory/press release for you, and you can put it up on all of your global web domains.
That way, you can avoid bad PR...oops. Too late.
Well, there's always professional pride...or not.
Cogitate,
Hofbrau |
|
Hofbrau
@rr.com
| reply to JTS33
"Ironically, disabling UPnP in the router control panel is what causes many DI-624 Rev. C3 to randomly reboot"
It might not be so ironic (or random) after all. It could very well be that disabling UPnP exposes the vulnerability in some manner, which allows incidental Denial of Service conditions to take place, an obvious symptom of which might be resetting of the gateway.
Virtually every vulnerability that allows for command execution, also allows for lower level DoS attacks in terms of exploitation.
You'll notice the tech never recommended disabling UPnP, which would be an obvious recommendation to make for an affected component/function, in general.
Could it be that the reason he didnt, is because doing so exposes the vulnerability?
I guess we'll never know until either eEye or D-Link issues a detailed advisory...
Its nice to know they both have our security in mind, by denying us information (or beta firmware updates still being tested) that would allow us to mitigate the vulnerability and/or reduce our exposure, and allow us to make (somewhat) informed decisions about products we own and use.
Cogitate,
Hofbrau |
|
Hofbrau
@rr.com
| reply to funchords
"I'm sorry, but this is making no sense to me at all."
I bet it doesnt.
Its what happens when one doesnt read (in this case the original post).
"First, D-Link does not list the 2100ap above."
Ayup. Its not gateway. Its a wireless access point. As such, it wouldnt need UPnP IGD (Internet Gateway Device) 1.0 support, since, its not a gateway. It could have UPnP WLAN Wireless Access Point 1.0 support, or even UPnP Basic Device 1.0 support, but, it doesnt.
Its not a gateway, and it doesnt have UPnP device support of any kind.
One might consider these additional "clues" that one apparently didnt bother reading the original post, or the content at the referenced link, or, didnt comprehend that the second post contains links to a different vulnerability.
"Second, the exploit mentioned seems to have nothing to do with UPnP."
Perhaps you should have read the original post, and not the second post, for details (as minimally provided) about the vulnerability.
Nothing in the provided "details" would exclude UPnP in any way, and would in fact include it, considering that the vulnerability is remotely exploitable, and UPnP IGD 1.0 is a "remotely accessible" service.
Reading - it works.
Cogitate,
Hofbrau |
|
Hofbrau
@rr.com
| reply to JimF
"It looks like the eEye report, and the reply from DLinkSupprt3 refers to "routers". The post from latinuser_uy refers to the DWL-2100ap, which is of course an access point, though it seems to be loosely referred to as a router also in some of the security reports. So there may be two different vulnerabilities."
Two different vulnerabilities.
The D-Link "tech" essentially confirms it with his statement regarding the vulnerability being related to the UPnP functionality - which isnt in play with the DWL-2100AP report.
"At any rate, they don't list the DI-634M as being affected, and you can turn off UPnP on that without a problem."
Different UPnP IGD 1.0 code modules most likely. There are plenty of vendors of UPnP device code these days, not to mention all the in-house modifications that chipset makers and device vendors can and do make with whatever code they licensed (assuming its licensed, and not completely coded in-house).
"So I am hoping that the fix will allow UPnP to be turned off on the DI-524 as well. We can always hope."
It certainly would be nice if they included a stable mature robust sedure UPnP IGD 1.0 implementation.
Considering all the exposure that Microsoft endured over its own insecure UPnP support code in Windows back in late 2001, youd think a UnP device implementer would "go the extra mile" when it comes to verifying and testing their UPnP code/functionality.
Also, considering that such UPnP code is modular, and available for licensing/usage from several sources/vendors, and considering that eEye only listed D-Link gateways being affected (assuming they tested other vendors popular models), one can reasonably assume that D-link either coded its UPnP IGD module in house, or did in-house modifications to a licensed module from a third party.
Either way, it doesnt bode well for D-Link's in-house firmware engineering and development.
Cogitate,
Hofbrau |
|
Hofbrau
@rr.com
| reply to 524DJunk
"Does this mean there is a possiblity that Dlink will update the DI524 Rev d firmware. It is utter garbage your own tech told me so."
Take note of the fact that even though they list the 604 as being "fixed", the firmware update made available only applies to the E revision of the 604. Earlier revisions have no firmware update made available.
You might want to keep that in mind when it comes to your own situation with your 524 Rev D.
Cogitate,
Hofbrau |
|
Hofbrau
@rr.com
| reply to neek
"This Firmware update: DI-604 - 3.52 is for the DI-604 Rev. E. I have the DI-604 Rev. B, is there a Firmware update planned for it as well?"
Great question.
If only D-Link had a security advisory/statement with a FAQ to answer such questions.
Nah, thats expecting too much from them.
Cogitate,
Hofbrau |
|
