CISA Advises Owners of Certain D-Link Routers to Urgently Retire Them

[TheLostSwede]

The US Cybersecurity and Infrastructure Security Agency, or CISA, is advising consumers and businesses to retire a whole range of D-Link routers, due to the devices being EOL. This is due to a severe vulnerability that affects the devices that goes under the CVE-ID of CVE-2021-45382. This is a remote command execution (RCE) vulnerability and it's not likely to get patched by D-Link and is considered serious enough that these devices should be taken offline post-haste. The vulnerability would allow an attacker to take over these devices using "diagnostic hooks" in the ncc2 service, which is tied to the DDNS function and would allow an attacker to gain full access by injecting malicious code.

Proof of concept code already exists on GitHub, which makes the likelihood of this attack vector being used even more likely. The known affected devices so far are the D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L and all hardware revisions are affected. Most of these routers were released around 2012 to 2014 and are either 802.11n or 802.11ac devices based on what appears to be Realtek or Ralink (now MediaTek) hardware. These aren't the only devices that CISA has given advice on recently, as the D-Link DIR-610 and DIR-645, as well as the Netgear DGN2200 are also devices that CISA recommends retirement for.



View at TechPowerUp Main Site | Source

 

[mechtech]

A ton of e waste because no firmware update. Sad.

my Asus n66u is 10 years old and still getting updates.

 

[TheLostSwede]

A ton of e waste because no firmware update. Sad.

my Asus n66u is 10 years old and still getting updates.

It might be possible to install an alternative firmware on them, but I didn't bother looking it up.

 

[defaultluser]

And this is why I avoid DLINK like the plague.

 

[elghinnarisa]

A ton of e waste because no firmware update. Sad.

my Asus n66u is 10 years old and still getting updates.

The n66u is EOL and havn't gotten a update since 2020. If you been getting them, then you are on third party firmware.

End-of-life product list

 

[Jism]

It might be possible to install an alternative firmware on them, but I didn't bother looking it up.

OpenWRT is such a thing. But the amount of routers accepted is limited.

I have a TP Link router Archer C7 but i only use it for inside applications, behind another router, which makes it technically impossible to hijack it. However i see my own serverlogs and often full exploit commands being sended by all sorts of random sources.

Theres so much outdated devices on the internet participating in a botnet these days... it will only get worse if people dont ever update these things (or replace it).

 

[mechtech]

The n66u is EOL and havn't gotten a update since 2020. If you been getting them, then you are on third party firmware.

End-of-life product list

Yep.
But even 2020 is 8 years of support. Last DLink router I had barely made 4 years.

 

[Makaveli]

A ton of e waste because no firmware update. Sad.

my Asus n66u is 10 years old and still getting updates.

Asus is one of the best vendors when its comes to supporting their routers. I use to be a D-Link guy maybe 15 years ago but haven't gone back and probably never will.

 

[DeathtoGnomes]

Its utterly amazing how DLink has to rely on CISA to dish out public warnings.


Wait, I take that back, no I guess I'm not really surprised.

 

[mechtech]

Asus is one of the best vendors when its comes to supporting their routers. I use to be a D-Link guy maybe 15 years ago but haven't gone back and probably never will.

Same

and just for fun. Chose 820L revB randomly. Released 2013. Last FW 2015. So 2 years. If that’s not abysmal I don’t know what is.

replacing router every 2 years with a new one = hard NO

D-Link Technical Support

 

[AsRock]

The n66u is EOL and havn't gotten a update since 2020. If you been getting them, then you are on third party firmware.

Yep.
But even 2020 is 8 years of support. Last DLink router I had barely made 4 years.

And sounds like D Link say fck it when the shit hits the fan

is advising consumers and businesses to retire a whole range of D-Link routers, due to the devices being EOL. This is due to a severe vulnerability that affects the devices that goes under the CVE-ID of CVE-2021-45382.

And which is it ? EOL or lack of getting it fixed ?. either way don't seem good.

 

[R-T-B]

And which is it ? EOL or lack of getting it fixed ?. either way don't seem good.

Both?

 

[TheLostSwede]

And which is it ? EOL or lack of getting it fixed ?. either way don't seem good.

Well, both. EOL normally means no more support.

 

[zlobby]

Must. Resist. Posting!

 

[Shrek]

dd-wrt probably supports most

 

[windwhirl]

Its utterly amazing how DLink has to rely on CISA to dish out public warnings.

You say that as if anyone outside of tech-savvy people will heed them.

PS: I can be even more pessimistic and say that even among those that are tech-savvy, a good amount of people will not care one bit.

 

[Makaveli]

You say that as if anyone outside of tech-savvy people will heed them.

PS: I can be even more pessimistic and say that even among those that are tech-savvy, a good amount of people will not care one bit.

Facts.

Most people don't know squat about computers or the equipment they own or even care to learn. think of your parents etc.

They just want to pickup a phone and call a support line.

We are a different breed.

 

[dozenfury]

If your vendor hasn't put out a fw update for your router in 2 years it's probably vulnerable even if it's not on this list. It's a bad enough problem that when I buy a router (or a mb ftm) I do a spot-check beforehand of their other hardware from the last few years to see how they've been supporting it with updates. Some companies are just bad at fw updates from the start, others are good at frequent updates for ~2 years and then never touch anything older than that again, and the good ones will update long-term until a more realistic hardware EOL.

 

[zlobby]

Most people don't know squat about computers or the equipment they own or even care to learn. think of your parenys

Yet they were able to buy a 1500 sq.ft. house while one of them is working part time at the local cafeteria, and the other collects butterflies.
Nowadays even a Ph.D in computer science may only get you a condo (YMMV).

In this context I may actually prefer to be a burger flipper and live a simple life in a huge house, insted of coding millions of lines per month just be able to afford the fancy double latte pumpkin chocolate macchiatos.

 

[AsRock]

Both?

So basically they saying reminder were not updating these no more buy another one. How nice of them, so thoughtful.

 

[bonehead123]

This is shit Conglomerated Consumerism Clusterfuck 101 at it's finest for ya.... just like cellphones...

Use it ~2 yrs till no moar updates, throw it away, buy a new one, rinse repeat yada yada yada,,

This is the exact reason I will NOT buy a Motorola phone.....although I really like most of their designs and prices....

 

[oobymach]

If your technology wasn't retired every so often you wouldn't need to buy more. The "tech" we're allowed to buy is designed to be replaced.

BTW I love D-Link stuff, easy to work with and reliable, and I don't need an app to use it.

Also there are a shit ton of router viruses out there, once people have access to hardware they can fuck with it, welcome to the internet.

 

[eidairaman1]

What surprises me is how is dlink still even in business, they are like belkin imho

 

[watzupken]

Yes, dump your perfectly working router and buy new ones to spur the economy and fill the pockets of the rich further. The truth is you can buy a new router, but I can guarantee that the new router will have some security flaw to begin with. You can argue that the security flaw can be patched, but I’ve never seen any device that is connected to the web and will get to a point where the patch will resolve ALL security flaws. There is nothing man made that is perfect.

 

[timta2]

It might be possible to install an alternative firmware on them, but I didn't bother looking it up.

I think the last two or three times I've used third-party firmware, the developers stopped bothering with updates, even when the original manufacturer was still providing updates.

I wish we had better consumer protection laws here in the US, in order to motivate these companies to do the actual right thing, instead of "the right thing" for their shareholders.