D-Link abandons patch for critical vulnerability affecting over 60,000 routers, urging users to 'replace' them



Several bugs, including a critical vulnerability, were discovered in multiple router models manufactured by Taiwanese telecommunications equipment manufacturer D-Link. However, D-Link indicated that it would not fix the vulnerabilities because support for those products had ended, and urged users to update their devices.

D-Link won't fix critical flaw affecting 60,000 older NAS devices

https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-flaw-affecting-60-000-older-nas-devices/

D-Link won't fix critical bug in 60,000 exposed EoL modems
https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-bug-in-60-000-exposed-eol-modems/

D-Link urges users to retire VPN routers impacted by unfixed RCE flaw
https://www.bleepingcomputer.com/news/security/d-link-urges-users-to-retire-vpn-routers-impacted-by-unfixed-rce-flaw/

D-Link says it won't patch 60,000 older modems, as they're not worth saving | TechRadar
https://www.techradar.com/pro/security/d-link-says-it-wont-patch-60-000-older-modems-as-theyre-not-worth-saving

The vulnerabilities in question were discovered by security researcher Netsecfish in several models of D-Link network-attached storage (NAS) devices that are popular with small and medium-sized businesses.

The vulnerability, numbered ' CVE-2024-10914 ', affects the following models:
・DNS-320 version 1.00
・DNS-320LW Version 1.01.0914.2012
・DNS-325 version 1.01, version 1.02
・DNS-340L Version 1.08



CVE-2024-10914 has a

CVSS score of 9.2, which is considered 'fatal.' If exploited, an unauthenticated attacker could send a specially crafted HTTP GET request to the device and execute arbitrary shell commands.

When Netsecfish searched for devices affected by CVE-2024-10914 on FOFA, an IoT device search engine, he found 61,147 devices across 41,097 unique IP addresses.



However, in

a security advisory issued by D-Link on November 8, 2024, the company stated that 'products that have reached End of Life (EOL) or End of Service Life (EOS) will no longer receive software updates and security patches, and will no longer be supported by D-Link,' informing users that no patch would be distributed because support for the affected products had been discontinued by 2021.

Subsequent research by security researcher Chaio-Lin Yu has found seven more vulnerabilities in the D-Link DSL6740C, including one that is rated as extremely severe (CVSS score 9.8) because it allows an attacker to change the password of any user.

It has also been confirmed that approximately 60,000 DSL6740C units are in operation.



In addition, the details of some vulnerabilities have not been disclosed because the risk of exploitation is so high. The following products are affected by this vulnerability, discovered by security researcher delsploit:

Model EOS
DSR-150 May 1, 2024
DSR-150N May 1, 2024
DSR-250 May 1, 2024
DSR-250N May 1, 2024
DSR-500N September 30, 2015
DSR-1000N October 30, 2015


However, D-Link did not distribute any patches for these issues either, instead stating in its security advisory that customers should 'upgrade to newer products.'

'Even though scans found tens of thousands of exposed endpoints, D-Link decided not to address the risks,' said BleepingComputer, an IT news site.

In the comments section of BleepingComputer, comments such as 'It certainly seems like it's time to switch to a device from another manufacturer' and ' If that's the case, they should stop selling it on Amazon too' have been posted.

in Security, Posted by log1l_ks