back to article Turn off remote admin, SOHOpeless D-Link owners

It's 2016, and D-Link still can't get its Home Network Automation Protocol (HNAP) implementation right. In a terse advisory, the Carnegie-Mellon CERT says the HNAP service in D-Link's "DIR" range of routers has a stack-based buffer overflow. “Processing malformed SOAP messages when performing the HNAP Login action causes a …

  1. Ole Juul Silver badge

    The only workaround is to disable remote administration.

    So do that.

    1. Jon 37

      Re: The only workaround is to disable remote administration.

      Still vulnerable to exploit from inside the LAN.

      This means that if someone gets malicious code running on any PC inside your network, then they can use this vulnerability to take control of your router, and in turn use that to attack the other PCs on your network (fake DNS responses etc).

      This is also a problem for coffee shops or other businesses who kindly share their Wi-Fi - any customer can hack their router.

      1. Pascal Monett Silver badge

        Re: Still vulnerable to exploit from inside the LAN.

        Protecting a Home LAN from outside attack is difficult enough. Protecting from inside malicious attack seems to me to be next to impossible.

      2. SoloSK71

        Re: The only workaround is to disable remote administration.

        this and other stories like it are why i am less and less sorry for paying for a commercial grade firewall and security appliance for my home network

        1. Anonymous Coward
          Anonymous Coward

          Re: The only workaround is to disable remote administration.

          "this and other stories like it are why i am less and less sorry for paying for a commercial grade firewall and security appliance for my home network"

          Indeed, while primarily a learning exercise, I have setup a decent smart switch, router and a few subnets isolating wireless, wired and untrusted devices, squid + iptables restrict access to the router.

          Although I'm not entirely sure this qualifies as a "home" network anymore, despite its location.

  2. Doctor Syntax Silver badge

    'As Ribeiro notes, “D-link has a long history of vulnerabilities in HNAP”, many of them attributed to embedded device hacker Craig Heffner of dev/ttyS0.'

    Was Craig Heffner responsible for creating the vulnerabilities or for the discovery of them? I suspect you meant the latter but the wording implies the former.

    1. You aint sin me, roit

      The nature and frequency of these errors does make you wonder. Occam's razor suggests it's just sheer incompetence, but ..

  3. Anonymous Coward
    Anonymous Coward

    A very fine (almost invisible line).....

    between poacher and gamekeeper.

  4. Gert Leboski

    Why?

    Who allows remote administration of a consumer router anyway?

    uPnP and remote administration never gets enabled for my LAN.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019