Call GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27
account_mgr.cgi is safe, it takes web parameters "name", "pw" and calls the equivalent of
execlp(..., "account", "-u", name, "-p", pw);
sprintf(buf, "adduser \"%s\" -p \"%s\" >/dev/null", opt_u, opt_p);
system(buf);That's nit-picky I know, but when some dude on the internet is trying to get clicks via manufactured rage at incompetent programmers, it's kinda ironic his code is buggy too.
https://netsecfish.notion.site/Command-Injection-Vulnerabili...
> The vulnerability is localized to the account_mgr.cgi script, particularly in the handling of the cgi_user_add command. The name parameter in this script does not adequately sanitize input, allowing for command execution.
> /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27
I know, I know, that would mean the exact command run, based on the reversed code shown on screen at https://youtu.be/-vpGswuYVg8?t=656 would be
adduser -u "';<INJECTED_SHELL_COMMAND>;'" -p "" >/dev/null
Not only was "the intern" tapped to write code that accepts user input from HTTP and also use system administration shell commands - and use C to do raw string handling, for that matter; who knows if `buf` is properly allocated? - but there was either no review/oversight or nobody saw the problem. Plus there are two layers of invoking a new program where surely one would suffice; and it's obviously done in a different way each time. Even programmers who have never used Linux and know nothing about its shells or core utilities, should be raising an eyebrow at that.
Meanwhile, people want to use AI to generate boilerplate so that their own company's "the intern" can feel like a "10x developer" (or managers can delude themselves that they found one).
https://nvd.nist.gov/vuln/detail/CVE-2024-3273 https://supportannouncement.us.dlink.com/security/publicatio... (April 4) affects NASes (DNS-* products, same as one of the November vulnerabilities), no fix, official recommendation "buy a new one".
https://nvd.nist.gov/vuln/detail/CVE-2024-45694 https://supportannouncement.us.dlink.com/security/publicatio... (September 16) affects routers (DIR-* products), fix by upgrading frimware
https://nvd.nist.gov/vuln/detail/CVE-2024-10914 https://supportannouncement.us.dlink.com/security/publicatio... (November 6) affects NASes (DNS-* products), no fix, official recommendation "buy a new one" (despite not selling NASes anymore?).
CVE-2024-10915 looks to be identical to CVE-2024-10914 at a glance
https://nvd.nist.gov/vuln/detail/CVE-2024-11066 https://supportannouncement.us.dlink.com/security/publicatio... (November 11) affects routers (DSL* products), no fix, official recommendation "buy a new one". Note that you need to look at multiple CVEs to get the full picture here.
(no CVE?) https://supportannouncement.us.dlink.com/security/publicatio... (November 18) affects routers (DSR-* products), no fix, official recommendation "buy a new one".
(several other RCEs require login first, and I could not find an associated login vulnerability. Additionally there are several buffer overflows that theoretically could become an RCE)
For that matter, nearly every shit-tier NAS vendor (WD, QNAP) has had some critical remote vulnerability in recent years. Some were notable for mass data loss incidents.
That aside, these companies are all very good at making very, very nice hardware at a price point consumers can afford. Some corners have to be cut and it's often software.
The dirty secret is many Internet of Shit device vendors outsource the software development, often to the lowest bidder in some offshore sweatshop. In some cases it's just a repackage of an ODM design from some no-name company in Shenzhen.
None of which are known for secure coding or good software practices.
Criticize all you want but this is a textbook example of getting what you paid for.
It's unreasonable to pay $100 for a D-Link box and expect it's Cisco ASA quality with free indefinite support.
Cisco, Juniper, and Palo Alto would all tell you to pound sand if you expect support after EOL or if you let your maintenance contract (aka protection racket) lapse.
https://www.techradar.com/pro/security/d-link-says-it-wont-p...
Dlink has a long history of putting out insecure and even backdoored devices and so anyone with a dlink device is probably better off buying something different
Right, my immediate reaction after reading the title was that D-Link might not patch their hardware, but others certainly will.
Dlink competitors should use this in their marketing.
Anecdotally, my elderly parents have asked me questions about ransomware and "our house getting hacked" because of segments they've seen on the mainstream nightly news. So the awareness is out there..
Except for unmanaged switches. These little D-Link unmanaged switches are little workhorses: I've got several so old I don't remember when I bought them. I take it D-Link didn't manage to fuck up even unmanaged switch?
But seen their approach to security, I probably won't buy D-Link again.
Every couple of weeks, the entire wired network goes down. Not even pinging adresses works. The d links ports leds are all flashing (perfectly in sync!) until I power cycle it. Then everything goes back to normal.
I have no idea what happens, and I should probably replace the d link soon.
STP is meant to prevent that. https://en.wikipedia.org/wiki/Spanning_Tree_Protocol
Of course you can't set up STP with unmanaged switches, so until you go managed and set up STP properly nothing will change.
Although I'm 100% sure there are no loops, I haven't changed the actual cable layout in ages.
I'd hope not. I haven't seen it yet at least.
Edit: checked their site: apparently they are still in the game, I guess just nobody buys them
Only thing I liked about them is that they had “emulators” on their website which would let you see a dummy version of the UI of any router, which was invaluable for someone doing informal remote IT since you could walk someone through configuring it by knowing exactly what the config pages looked like. Useful especially since remote screen sharing was tougher 15 years ago.
TLS would not need to exist otherwise.
the basic gist is in the event of a cyberwar you could brick millions of peoples routers and their only natural solution would be to go to BestBuy to get a new one... which almost certainly is running a 4-5yr old linux/firmware version that is equally vulnerable. Of course this requires some remote access or lateral entry from other systems on the network, but it's an interesting thought experiment regardless.
I think this is already way past "thought experiment". In the day of the 2022 invasion of Ukraine by Russia, thousands of satellite modems were deliberately bricked.
The lack of major cyber wins in the invasion of Ukraine is still very surprising though. Maybe holding their cards for something big (something they didn't expect to win in "3 days"), or US really helped prepare Ukraine, or it's harder than it sounds :)
Ransomware and bricking would probably be the primary risk though. And security cams, NAS, printers, etc.
These devices are end of life. Anyone running an EOL device doesn't care about security and probably wouldn't update the firmware if it was available.
For comparison, Apple does not update EOL devices outside exceptional circumstances. I never received a 20% discount to upgrade.
Do we know how they'd react if they ever did?
I'd usually give the EOL argument some credit, but this exploit is not an accident, someone deliberately wrote an unauthenticated remote command execution as a feature, and it made it to production, and no one in this long chain of failures thought to themselves "gee, maybe we shouldn't do this"
I don't hate D-Link (I don't care about them anywhere near enough to bother), but I think there's enough of a history of poor security practices to avoid their products...
If I told you that your fridge or car would be EOL in 5 years, and after that you should throw it away and buy a new one, you'd rightly laugh me out of the room.
I think it's worth taking a moment to consider why we let manufacturers get away with abandoning tech gadgets so quickly...
No such supply chain exists to patch proprietary firmware/software after the support period.
Whoever, because the are routers, that users will install and forget about, how are they even suppose to be made aware that these are end of life? D-Links, and other producers of consumer hardware, seems to think that it's fine to just EOL their products and say "go buy a new one". Being D-Link should be much harder than being Cisco. At least Cisco can assume that their customers are keeping up with product information, patches and so on. What is D-Links plan for informing users that their product is no longer secure? I don't think they have one and that pretty irresponsibility because they should know that the majority of their customers aren't all that technically savvy.
I don't know if D-Link devices automatically pulls update, my guess is that they don't, but there should at least be a on device indicator that this device is now EOL and should be used at the customers own risk. It fine to say that a device is EOL and no more updates will be made available, but they need to indicate to the customers that these devices are now at risk.
If you leave capitalism unchecked it will fuck you as hard as any other system.
A rule like this essentially forbids closed source software. (Which, hey, might be a good thing... but then just mandate that directly and outlaw closed source software licensing.)
Often because the cheap devices were either all I could afford or because I've even gotten them for free or basically free, like on flea markets.
You knew your device was no longer supported and would no longer receive security updates, "someone found an exploit" is kind of a given, and "d-link won't patch it" equally so?
I'm less confident that this is true. I think I know what the EOL is for all my networking equipment[0], you probably know the EOLs on your networking equipment, but I would wager that a majority of the population very understandably regards these things as appliances that you buy, plug in, and then it works indefinitely, and they do not in fact have any clue when the vendor will decide to stop providing security patches for it.
[0] Actually, now that I think about it no I don't; I was thinking of the core bits that I control, but the edge of my network is an ISP-provided box that I know essentially nothing about. Given that I don't manage it, I hope my ISP will send me a new one when it hits EOL but I don't know that.
my dad (and most dads) will be pissed he can’t drive his EV or anything of the tech gadgets he likes cause he’s not technically qualified for ownership and responsibilities that comes with it…? that sounds reasonable :)
in this world I would say the very least business could do is put up a disclaimer on the product “requires PhD from Carnegie Melon to own”
I don't think even that is "ridiculous". It came out of the factory defective. This isn't about features or maintenance. How many years total would that be since last sale, still less than 15?
https://supportannouncement.us.dlink.com/announcement/public...
Otherwise they would be perfect. Cheap and supported practically forever. Their trick seems to be that they use a single firmware image for all routers with the same CPU architecture.
And the default page on routers ip is https://help.mikrotik.com/docs/spaces/ROS/pages/328060/Quick...
If it changed enough it won't matter.
D-Link tells users to trash old VPN routers over bug too dangerous to identify
More broadly, it's not just about the support commitment but also about the company's reputation for shipping solid software. i.e. what is the prior on a scenario like this after the product goes EOL.
Celeron N5105
CPU: Intel Jasper Lake Celeron Processor N5105, 4 core 4 threads,64 bit, 10nm, 2.0GHz up to 2.9GHz, 4M cache
GPU: Intel UHD Graphics GPU, 24EU, 450MHz up to 800MHz
vs
Alder Lake N100
CPU: Intel Alder Lake Processor N100, 4 core 4 threads,64 bit, 10nm, Up to 3.4GHz, 6M cache
GPU: Intel UHD Graphics GPU, 24EU, Up to 750MHz
I bought a N100 model to run as my backup server (PBS etc) and its a cracker. Debian is so snappy on it.
Also runs another VM with some lightweight docker containers. Reliable little thing.
Would also go N100 if needed replacement.
Not really. Each newer OpenWRT release needs slightly more storage and memory than the previous one, and these devices at the lower end of the price spectrum tend to have as little storage and memory as they can get away with. Older devices with as little as 4 MB of storage and/or 32 MB of memory are already unable to run current OpenWRT releases, and devices with 8 MB of storage and/or 64 MB of memory are already on the way out. But yeah, other than that OpenWRT does tend to support devices way past their original EOL.
[1] https://openwrt.org/toh/google/wifi
They're about $30-$50 USD for a 3 pack on eBay
Sometimes it's nice to be able to run a normal OS.
They probably used similar parts in another product and threw them into the routers for the additional order volume, known bring-up risk, and dev benefits. The pixel series also uses Samsung eMMC, iirc.
You could probably also just run openwrt with out a gui and probably do fine.
Additionally, I like that openwrt works on higher end boxes now, like the zyxel gs1900 12, 24 and 48-port switches.
Take a look at Teltonika, that's basically what they do, but with nice over-provisioned hardware. Comes with the "industrial" price tag, but theirs is the most rock solid network gear I've ever used, and you actually receive frequent router and modem firmware updates.
I have one of their RUTX50 (5G LTE modem/router) at home and get about ~550 Mbit's through it, best internet I've ever had. I've never been forced to reboot it. I tried some consumer 5G modems before that and they were a total waste of money. I've also used their non LTE gear elsewhere and it's the same pleasant experience, and naturally highly configurable due to OpenWRT without having to hack around.
https://firmware-selector.openwrt.org/?version=23.05.5&targe...
https://openwrt.org/toh/netgear/wndr3700
I always try to find out what's one of the best-supported OpenWrt routers at the time I'm shopping. And can I get one (or a few) of them on eBay at great prices.
WRT54-GL, WNDR3700(v2,v4) and WNDR3800, Netgear R7800.
I also have an OPNsense box that I'm evaluating. But, since OPNsense (FreeBSD) isn't strong on WiFi, I'd need to pair it with separate WiFi APs (running OpenWrt). I'm not liking the extra complexity, when an OpenWrt R7800 still does everything I really need right now.
The WRT54-GL stands out, while having a really long support life it's also just FE, 10/100Mbps. The others are gigabit Ethernet. Could possibly be replaced from the list by the D-Link DIR-825 (N, not AC) which is also at the same support level as the Netgear WNDR3700v2.
Their releases aren't really for _a_ device, but for a CPU architecture/chipset, so I don't know that I've actually run across any device that went unsupported before I replaced it anyway for reasons of wanting faster networking (i.e., 10/100 -> 1000; 802.11bgn -> 802.11n -> 802.11ac).
Many of them are also supported by OpenWRT.
It kind of surprises me that you can just release a commercial product that is dangerous, make tons of money from it, then totally refuse to fix any problems with it. These devices are going to sit on innocent peoples networks who deserve to have privacy and security like anyone else. It's not outside the realm of possibly that an owned device leads to crypto extortion which leads to a business going under. Or maybe someone's intimate pics get stolen and that person then... yeah. Security has a human cost when its done badly.
Stop e-waste and planned obsolcence.
If you fear loosing sales on new HW, make it significantly better.
Though, as a life-long Android user, I've been jealously looking at how long apple have actually been supporting their iPhones (at least since the iPhone 6) and I'm seriously considering switching.
The 6S, 7, 8 all got feature updates for 7 years, and are still getting security updates after 9 years. The iPhone XS is still getting feature updates after 6 years. On Android, you are lucky to get 3 years of feature updates and 5 years of security updates.
Two major issues:
- "a 3rd party can patch it" != "a competent and non-malicious 3rd party will bother to patch it in a timely manner". Let alone "Joe User will search for, find, correctly identify, and install that saintly-3rd-party patch". At best, this would modestly reduce e-waste & obsolescence.
- Outside of maybe Apple, nobody selling little network products is designing their own silicon, or even has authority over all the IP in them. The latter is often locked down by a web of (international) supplier contracts. Trying to force retroactive changes to such contracts, at scale, could become a 1,000-lawyer disaster.
Consider Asahi linux with their years long efforts to make it possible to use something else as an OS on the Mac. Or something like broadcom drivers that's now practically a meme.
If I "buy" something it shouldn't come a blackbox inside.
Yes there will be resistance. There will be foul play. But tectonic shifts will happen over time. And the ecosystem will evolve and thrive.
Not every product will be supported by 3rd parties. But it would open a market, often smaller and local actors.
If it raise only a handful of hobbyist learning opportunities, i already call it a win.
https://en.m.wikipedia.org/wiki/Cyber_Resilience_Act
Skimming the regulation text, it seems it requires the manufacturer of a connected device to report on and quickly fix vulnerabilities within the device's "support period". The support period for device classes still has to be determined, but it seems it is a vital requirement for a device to get a CE certification (without which it otherwise is not allowed to be put on the EU market).
I myself moved on to an Ubiquiti Edge Router almost 10 years ago, but Ubiquiti didn't do a great job of that in the long term and they ditched the EdgeRouter/EdgeMAX line so I ended up (and I wasn't interested in Unifi line for my router/firewall) buying a Protectli box, flashed coreboot and used pfSense for a while before eventually moving to OPNSense.
I came to the conclusion over this time that any consumer network equipment is basically junk and if you care at all about security you shouldn't use it; sadly that's easier said than done for non-techy folks.
Many pieces of older/cheaper hardware can be flashed with OpenWRT and I'd recommend that as the cheapest option for anyone who cares just a little, and doesn't want to buy new hardware, and for everyone who really wants to make an effort should buy some hardware that can run a properly maintained router OS like pfSense or OPNSense, even an all-in-one wifi-router-switch if you don't want to build out an entire SMB network.
Current using Unifi AP-AC Pros and Unifi 6 Pro around the house, but I keep having to move them around because the (newer) U6 Pro has atrocious range on both 2.4GHz and 5GHz compared to the AP-AC-Pro and my wife is getting annoyed at the poor WiFi signal on the living room TV (constant buffering), so I put the AP-AC-Pro back and it's better for the TV but slower for everything else.
Not sure if there's a better Unifi AP I can get for this part of the house or if I need to switch everything out as don't want to mix AP manufacturers/management tools.
Best thing about Mikrotik though is they've got this incredible management program called WinBox64.exe which is a 2.2mb single-file dependency-free executable that needn't be installed. It's super lightweight. Like they coded it without any frameworks. It feels like being back in the circa 2000 golden age of Windows, and the GUI is so rich and powerful and dense that it makes your desktop look like a hacker movie to normies who happen to be looking over your shoulder.
This is pretty much where I'm at. I went from having a fully wired home to moving into a larger, solid-brick home, since then, I've had to rely on adding APs to get coverage to certain critical points, because otherwise I need to do extensive work to run cables; there's nowhere to hide them in solid-wall houses other than to tear holes into the walls and bury them there; my wife won't settle for trunking all over the show.
I do need more APs, particularly in the upstairs, but the one that affects the TV shouldn't be a quantity issue; it resides on the ceiling, directly above the door to the living room, the TV is on the opposite side of the living room to the door, about 5 meters away. I suspect the couple of feet wide area of bricks about 8 inches thick is attenuating the signal from the U6 Pro enough to make it unusable for the TV, despite the wide open door frame directly below, while the AP-AC-Pro manages just fine. The reason I don't just add an AP _in_ the living room, is the same that I don't just run ethernet, which is that it's a challenge without doing lots of damage and thus remedial work to get the cables there.
I fully intend to run ethernet there, and everywhere else when I can, but we recently redecorated everywhere after we moved in, so my wife might just kill me if I do it now; and we're back to square one, death.
> Best thing about Mikrotik though is they've got this incredible management program...
That's amusing, hopefully I'll get to check it out if it can run under WINE, 2000 really was the golden age of Windows and I haven't run it since, every PC, laptop, server, etc in this house runs Linux or *BSD.
It would have been doable with OpenWRT’s robust scripting support, but was just a few clicks in the UI with Fresh Tomato.
There is no specific duration mentioned in the directive, so it's probably best from a vendor point of view to add product lifetime info to the product description or the contract, up front.
In Germany there is something similar in place, already and the expectation is that products (and necessary apps to run the products) need to be updated for 5 years on average.
> When placing a product with digital elements on the market, and for the expected product lifetime or for a period of five years from the placing of the product on the market, whichever is shorter, manufacturers shall ensure that vulnerabilities of that product are handled effectively and in accordance with the essential requirements set out in Section 2 of Annex I.
Obvious problem - how could the manufacturer determine (let alone control) when, literally, that happened? They might tell when their major distributors and online retailers ran out of stock...but small distributors and bottom-feeding resellers and mom-and-pop retail? Impossible.
On-package labeling ("Software security updates for this thingie will be available until at least Dec. 31, 2029; also check our web site at https://support...") would be the only fool-proofish method.
The directive has explicit 10 year expiry period, see (57)
> Given that products age over time and that higher safety standards are developed as the state of science and technology progresses, it would not be reasonable to make manufacturers liable for an unlimited period of time for the defectiveness of their products. Therefore, liability should be subject to a reasonable length of time, namely 10 years from the placing on the market or putting into service of a product (the ‘expiry period’), without prejudice to claims pending in legal proceedings.
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A...
It was the first information I wanted to know, but it wasn't in the article.