by lobo_tuerto on 11/26/24, 8:36 PM with 170 comments
by autoexec on 11/27/24, 12:09 AM
https://www.techradar.com/pro/security/d-link-says-it-wont-p...
Dlink has a long history of putting out insecure and even backdoored devices and so anyone with a dlink device is probably better off buying something different
by ak217 on 11/27/24, 2:16 AM
More broadly, it's not just about the support commitment but also about the company's reputation for shipping solid software. i.e. what is the prior on a scenario like this after the product goes EOL.
by mitjam on 11/27/24, 11:55 AM
There is no specific duration mentioned in the directive, so it's probably best from a vendor point of view to add product lifetime info to the product description or the contract, up front.
In Germany there is something similar in place, already and the expectation is that products (and necessary apps to run the products) need to be updated for 5 years on average.
by smitelli on 11/26/24, 11:47 PM
by alias_neo on 11/27/24, 11:10 AM
I myself moved on to an Ubiquiti Edge Router almost 10 years ago, but Ubiquiti didn't do a great job of that in the long term and they ditched the EdgeRouter/EdgeMAX line so I ended up (and I wasn't interested in Unifi line for my router/firewall) buying a Protectli box, flashed coreboot and used pfSense for a while before eventually moving to OPNSense.
I came to the conclusion over this time that any consumer network equipment is basically junk and if you care at all about security you shouldn't use it; sadly that's easier said than done for non-techy folks.
Many pieces of older/cheaper hardware can be flashed with OpenWRT and I'd recommend that as the cheapest option for anyone who cares just a little, and doesn't want to buy new hardware, and for everyone who really wants to make an effort should buy some hardware that can run a properly maintained router OS like pfSense or OPNSense, even an all-in-one wifi-router-switch if you don't want to build out an entire SMB network.
by 486sx33 on 11/27/24, 12:40 AM
by tptacek on 11/27/24, 12:56 AM
by fresh_broccoli on 11/27/24, 1:11 AM
Otherwise they would be perfect. Cheap and supported practically forever. Their trick seems to be that they use a single firmware image for all routers with the same CPU architecture.
by wuming2 on 11/27/24, 1:25 AM
by zahlman on 11/27/24, 12:09 AM
by slimebot80 on 11/26/24, 11:52 PM
by guidedlight on 11/27/24, 2:00 AM
by markhahn on 11/27/24, 1:48 AM
by ChrisArchitect on 11/27/24, 1:44 AM
D-Link tells users to trash old VPN routers over bug too dangerous to identify
by clwg on 11/27/24, 12:17 AM
by isodev on 11/27/24, 4:44 AM
by znkynz on 11/27/24, 12:41 AM
by pt_PT_guy on 11/27/24, 7:58 AM
by pcl on 11/27/24, 11:42 AM
It would have been doable with OpenWRT’s robust scripting support, but was just a few clicks in the UI with Fresh Tomato.
by dmix on 11/27/24, 12:11 AM
by DocTomoe on 11/27/24, 9:02 AM
by chipweinberger on 12/1/24, 12:23 AM
It was the first information I wanted to know, but it wasn't in the article.
by a1o on 11/27/24, 1:12 PM
by sitkack on 11/27/24, 6:26 AM
by o11c on 11/26/24, 11:49 PM
https://nvd.nist.gov/vuln/detail/CVE-2024-3273 https://supportannouncement.us.dlink.com/security/publicatio... (April 4) affects NASes (DNS-* products, same as one of the November vulnerabilities), no fix, official recommendation "buy a new one".
https://nvd.nist.gov/vuln/detail/CVE-2024-45694 https://supportannouncement.us.dlink.com/security/publicatio... (September 16) affects routers (DIR-* products), fix by upgrading frimware
https://nvd.nist.gov/vuln/detail/CVE-2024-10914 https://supportannouncement.us.dlink.com/security/publicatio... (November 6) affects NASes (DNS-* products), no fix, official recommendation "buy a new one" (despite not selling NASes anymore?).
CVE-2024-10915 looks to be identical to CVE-2024-10914 at a glance
https://nvd.nist.gov/vuln/detail/CVE-2024-11066 https://supportannouncement.us.dlink.com/security/publicatio... (November 11) affects routers (DSL* products), no fix, official recommendation "buy a new one". Note that you need to look at multiple CVEs to get the full picture here.
(no CVE?) https://supportannouncement.us.dlink.com/security/publicatio... (November 18) affects routers (DSR-* products), no fix, official recommendation "buy a new one".
(several other RCEs require login first, and I could not find an associated login vulnerability. Additionally there are several buffer overflows that theoretically could become an RCE)
by Uptrenda on 11/27/24, 3:16 AM
It kind of surprises me that you can just release a commercial product that is dangerous, make tons of money from it, then totally refuse to fix any problems with it. These devices are going to sit on innocent peoples networks who deserve to have privacy and security like anyone else. It's not outside the realm of possibly that an owned device leads to crypto extortion which leads to a business going under. Or maybe someone's intimate pics get stolen and that person then... yeah. Security has a human cost when its done badly.
by seam_carver on 11/27/24, 3:35 AM
by TheRealPomax on 11/27/24, 12:54 AM
You knew your device was no longer supported and would no longer receive security updates, "someone found an exploit" is kind of a given, and "d-link won't patch it" equally so?
by likeabatterycar on 11/27/24, 12:14 AM
These devices are end of life. Anyone running an EOL device doesn't care about security and probably wouldn't update the firmware if it was available.
For comparison, Apple does not update EOL devices outside exceptional circumstances. I never received a 20% discount to upgrade.