Better late than never: D-Link has issued the promised patch that closes an administrative backdoor in its SOHO broadband routers. When the vulnerability was first discovered, the vendor promised to patch it by the end of October. The patch has now been issued here. If an attacker set their browser user agent string to read …
"Only turning off remote administration would protect the device."
For a SOHO bit of kit, I (being an admin/consultant) would not even connect the router to anything except the machine I'm using for initial setup, let alone the internet, without turning off remote admin--truly small offices (and home users) quite simply don't need that
bug feature. And in my personal opinion, using most D-Link offerings in a larger setting would be akin to suicide anyway.
So... it may be a backdoor, but for anybody who knows the very first bit about security, it would be turned off anyway. Sort of like people using "passw0rd" as a password tend to have their systems hacked into more often than those who use actual passwords. Hence, very limited news value in this article from my point of view. There's a bug in a router. Not going to be the last one. It can be switched off, but most users won't. Their problem. If you don't know how to handle your own kit, hire a pro. My hourly rates are reasonable...
Re: It can be switched off, but most users won't.
They won't because often they don't know about it and don't know how even if they did. Many home users and small businesses don't even know they can log onto the router to change the settings after the install man leaves and, even if they did and did know how to logon they have the fear of buggering the whole thing sideways and taking down their home/office network or customer wifi and having to pay a pro a "reasonable hourly rate" to fix what they've knackered that was otherwise "just working".
Remote admin should be disabled as factory default. This is my new armchair crusade!
Re: It can be switched off, but most users won't.
"Remote admin should be disabled as factory default. This is my new armchair crusade!"
On the products in question, it is disabled by default.
Joel Backdoor sounds like someone you'd find on Craigslist: 'Lonely med student looking to meet new people. If you're into broken glass and recycled hydraulic fluid hit me up. Extra points for sombreros and amputee furries'.
It isn't _all_ DLink routers (to be fair, the small number affected/effected ... I never know ... are listed on the Sec Advisory, linked in the article).
As for the backdoor being dropped in during development - Almost guaranteed, I would imagine. It looks like a "I'm bored of logging in and out, during our testing" addition and a Richard says, said Dev forgot to take it back out after testing had finished (not first, won't be last).
At least they fixed it (apparently) ... A month late is better than not at all, right?
And - as said here in comments and on the DLink Sec-Advisory - you should not have Remote Management turned on and it was not on by default ... But as also said, often and often on here, that's easy enough to say if you know what you are doing ...
OT: the small number affected/effected
Affect is almost always a verb, Effect is almost always a noun. So something affected is being influenced: "This model of router is affected by the problem", whereas something effected is being brought into being; it's a result: "The fix was effected by applying the firmware update".
Hope that helps.
Someone dropped the backdoor into the device ...
It's what CISCO does to most of it's InterNet network products and why Obama is supporting their sale - all NSA compliant.
Joel is sooo sacked.
If Joel was a one-man dev, test, package and deployment man for firmware, then yes. However in the case of a large company like D-Link that is sodding unlikely.
And number of D-Link routers updated?
I suspect that whilst D-Link have released a patch, very few products will actually be updated since this will require user intervention, and as others have pointed out Joe P(ublic) don't tend to mess with unfamiliar tech. particularly if it means they might loose their broadband connection.
Re: And number of D-Link routers updated?
True, but by the same token the same Joe's won't have enabled external access either. In fact they probably wouldn't have changed the default password and username either.
Putting on my mu-metal hat (tinfoil is not effective against the latest NSA/GCHQ measures), I have to wonder if the whole thing is just "motivation" getting users to "update" to a version more friendly to "lawful intercept".
Fact is, if "They" (NSA, GCHQ, RBN) want to do something nasty to you, they will, unless you go all Unabomber and live totally off the grid in some unheated (can't forget the IR-scanners in those drones) but
well-insulated cabin in the woods.
- Product round-up Coming clean: Ten cordless vacuum cleaners
- Something for the Weekend, Sir? I need a password to BRAKE? What? No! STOP! Aaaargh!
- Episode 13 BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
- Vulture at the Wheel Ford's B-Max: Fiesta-based runaround that goes THUNK
- Worstall @ the Weekend BIG FAT Lies: Porky Pies about obesity