Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[JoeHombre]

Does anyone know the nature of the vulnerability that FW 1.31 is said to correct?

Joe

[JoeHombre]

Does anyone know the nature of the vulnerability that FW 1.31 is said to correct?

Joe

On the same day that I placed this post, I email D-Link product support asking the same question.  A month later, I have not received a reply from D-Link product support nor a D-Link forum moderator.

I consider it a reverent question to ask a manufacturer (re-branding) company for details about a potential vulnerability issue that they apparently didn’t know about initially then supposedly corrected.

If D-Link didn’t know of the vulnerability issue at first then sometime later discovered it and said it was fixed in a FW update -- are we to believe that the same folks that didn’t know the problem existed in the beginning is being honest that the issue was fixed?

If we the customers are not informed of the exact nature of the potential vulnerability problem how can we tell that it was fixed by being alert to possible vulnerability issues?  Also, what should those that do not update the FW be on-guard about?

Bad form D-Link.  You failed the integrity test, again!

Joe

[zgates420]

Well can you really blame them dude?  They probably don't want to give away any details of the vulnerability to prevent people from exploiting it.

[JoeHombre]

Well can you really blame them dude?  They probably don't want to give away any details of the vulnerability to prevent people from exploiting it.

I understand your point.  However, D-Link’s own web site for the FW 1.31 update (http://www.dlink.com/products/?pid=663) says “Closed a publicly disclosed potential vulnerability”.

So if the vulnerability has already been publicly disclosed -- likely, the bad folks already know what the “potential vulnerability” is.  But since, D-Link isn’t talking, only us good guys don’t know what the “potential vulnerability” is.

I call this poor customer support.

Joe

[zgates420]

That is a valid point.  I also find their customer support very annoying.  Any time I call, I just get some person who barely speaks english attempting to help me.  I have no problem with people who aren't fluent in english, but when I need to find a solution to a networking problem (ie DAP 1522 not working with DIR-815 in wireless n mode, only a/b/g), speaking with someone who speaks fluent english is merely the first basic requirement.  I don't understand the purpose of patching me through to someone who is just reading some s*** off of a flow chart, I may as well just be reading the dap-1522's website myself.  It's about as effective as putting 5 year old children on the phone.  Get real, people.

[JoeHombre]

Even though I still have not heard from Dink Product support or a Moderator on here, I did find this discussion http://www.dslreports.com/forum/r23623107-Help-Me-D-Link-Routers-One-Hack-to-Own-Them-All on DSLREPORTS which also contains this link http://dl.packetstormsecurity.net/papers/attack/dlink_hnap_captcha.pdf.  The bottom-line of those links is that without corrective FW, Log-ON for at lease some D-Link Routers, APs, Bridges, etc., could be hacked.

If so, it affects at lease some and maybe all D-Link network devices that use a Log-On, unless the FW has been updated by D-Link and loaded.  It would seem that affected D-Link equipment that has reached End-Of-Life and therefore no longer has FW updates remain vulnerable.

This info leads me to believe that the Potential DAP-1522 Vulnerability that I inquired about is in fact the one being discussed above.  If so, maybe the reasons that D-Link, didn’t respond and isn’t more explicit about this issue is to: (a) down-play the significance and (b) keep those customers without possibility of a corrective FW update in-the-dark.

Joe