Some D-Link Routers Affected by Severe Vulnerabilities; Only Some Get Patches

Security researchers probing D-Link routers have identified five severe vulnerabilities, and the company issued a Beta update for some of them. Unfortunately, some of the vulnerabilities will remain forever open because the devices reached end of life.

Support for commercial routers is often abysmal, with manufacturers rarely issuing updates. Many routers operating right now in people’s homes have gathered hundreds of unpatched vulnerabilities, and there’s no indication that they are ever going to get fixed. A recent study looked at this issue and found the situation is much worse than we imagine.

Researchers from ACE Team – Loginsoft found a number of severe vulnerabilities that include a buffer overflow in the `ssi` binary, leading to arbitrary command execution, a command injection vulnerability in the UPnP via a crafted M-SEARCH packet, exposed administration function, and an XSS vulnerability due to an unescaped value on the device configuration webpage.

D-Link issued a Beta patch covering some of the devices (DAP-1520), but explained that releasing firmware for devices that reached end of life or end of service is not operating procedure (DAP-1522 and DIR-816L).

“From time to time, D-Link will decide that some of its products have reached End of Support (“EOS”) / End of Life (“EOL”),” says the company. “D-Link may choose to EOS/EOL a product due to evolution of technology, market demands, new innovations, product efficiencies based on new technologies, or the product matures over time and should be replaced by functionally superior technology.”

Unfortunately, routers such as these can’t be updated remotely — customers have to download the firmware and install it. Now that the vulnerabilities have been exposed, along with proof of concept, hackers and other criminals will begin looking for susceptible routers.