Monday, April 11th 2022
CISA Advises Owners of Certain D-Link Routers to Urgently Retire Them
The US Cybersecurity and Infrastructure Security Agency, or CISA, is advising consumers and businesses to retire a whole range of D-Link routers, due to the devices being EOL. This is due to a severe vulnerability that affects the devices that goes under the CVE-ID of CVE-2021-45382. This is a remote command execution (RCE) vulnerability and it's not likely to get patched by D-Link and is considered serious enough that these devices should be taken offline post-haste. The vulnerability would allow an attacker to take over these devices using "diagnostic hooks" in the ncc2 service, which is tied to the DDNS function and would allow an attacker to gain full access by injecting malicious code.
Proof of concept code already exists on GitHub, which makes the likelihood of this attack vector being used even more likely. The known affected devices so far are the D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L and all hardware revisions are affected. Most of these routers were released around 2012 to 2014 and are either 802.11n or 802.11ac devices based on what appears to be Realtek or Ralink (now MediaTek) hardware. These aren't the only devices that CISA has given advice on recently, as the D-Link DIR-610 and DIR-645, as well as the Netgear DGN2200 are also devices that CISA recommends retirement for.
Sources:
CVE-2021-45382, via Malwarebytes
Proof of concept code already exists on GitHub, which makes the likelihood of this attack vector being used even more likely. The known affected devices so far are the D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L and all hardware revisions are affected. Most of these routers were released around 2012 to 2014 and are either 802.11n or 802.11ac devices based on what appears to be Realtek or Ralink (now MediaTek) hardware. These aren't the only devices that CISA has given advice on recently, as the D-Link DIR-610 and DIR-645, as well as the Netgear DGN2200 are also devices that CISA recommends retirement for.
26 Comments on CISA Advises Owners of Certain D-Link Routers to Urgently Retire Them
my Asus n66u is 10 years old and still getting updates.
www.asus.com/event/network/EOL-product/
I have a TP Link router Archer C7 but i only use it for inside applications, behind another router, which makes it technically impossible to hijack it. However i see my own serverlogs and often full exploit commands being sended by all sorts of random sources.
Theres so much outdated devices on the internet participating in a botnet these days... it will only get worse if people dont ever update these things (or replace it).
But even 2020 is 8 years of support. Last DLink router I had barely made 4 years.
Wait, I take that back, no I guess I'm not really surprised. :rolleyes:
and just for fun. Chose 820L revB randomly. Released 2013. Last FW 2015. So 2 years. If that’s not abysmal I don’t know what is.
replacing router every 2 years with a new one = hard NO
support.dlink.ca/ProductInfo.aspx?m=DIR-820L
PS: I can be even more pessimistic and say that even among those that are tech-savvy, a good amount of people will not care one bit.
Most people don't know squat about computers or the equipment they own or even care to learn. think of your parents etc.
They just want to pickup a phone and call a support line.
We are a different breed.
Nowadays even a Ph.D in computer science may only get you a condo (YMMV).
In this context I may actually prefer to be a burger flipper and live a simple life in a huge house, insted of coding millions of lines per month just be able to afford the fancy double latte pumpkin chocolate macchiatos.
Use it ~2 yrs till no moar updates, throw it away, buy a new one, rinse repeat yada yada yada,,
This is the exact reason I will NOT buy a Motorola phone.....although I really like most of their designs and prices....
BTW I love D-Link stuff, easy to work with and reliable, and I don't need an app to use it.
Also there are a shit ton of router viruses out there, once people have access to hardware they can fuck with it, welcome to the internet.
I wish we had better consumer protection laws here in the US, in order to motivate these companies to do the actual right thing, instead of "the right thing" for their shareholders.
Merlin is another option, but as both of these work with what's available from Netgear or Asus respectively, they have limitations to what they can offer.
That said, what I meant was options like OpenWRT or DD-WRT, which tends to support a lot of different hardware. I have OpenWRT installed on two TP-Link devices and although it's a bit of a pain to configure, the latest version is a lot better than it used to be and both products are working better with OpenWRT than they ever did with the TP-Link firmware.
There should be legal requirements for routers to receive updates for at least five years, maybe 10 years for critical vulnerabilities like this.