D-Link Leaves Critical Hole Open for 5 Months, And Counting

Security vulnerability discoveries were reported last February to D-Link and surprisingly they still have not been fixed yet! The vulnerability allows remote code to be executed through the routersfirmware potentially leaving affected customers vulnerable to attack.The vulnerability can give an attacker complete control over any andall network traffic.

The effected products are:

• DI-524 (Wireless)
• DI-604*
• DI-624 (Wireless)
• DI-784* (Wireless)
• EBR-2310*
• WBR-1310 (Wireless)
• WBR-2310 (Wireless)

*(Denotes firmware update available)

D-Linkhas hardly said a word publicly about the issue and has only patched asmall portion of the devices affected. In fact the only word directlyfrom D-Link is from a supposed support staff member in a post on the DSLReports.com forums.According to that person the issue has to do with UPnP, a LAN sideprotocol thus reasoning that the problem isn't susceptible to WAN orinternet side attacks.

Unfortunately because some of theeffected routers are wireless it isn't unlikely that an attacker mightcompromise the router by gaining access to the wireless portion of therouter and injecting malicious code. Even secured wireless routersaren't foolproof and given enough time and resources these too can becompromised. The only advice that can be given at this point fromsecurity researchers is to discontinue using the affected routers untila fix is published by D-Link as there is nothing the consumer can to domitigate the issue themselves.

D-Link was also recently in the news when its engineers began using a FreeBSD NTP top level server as the primary time server for its devices. The issue was solved eventually, and new routers stopped using the NTP server.

News source: DailyTech