Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[stevebythebay]

So where is the new firmware? 

http://www.computerworld.com/s/article/9145139/D_Link_issues_fixes_for_router_vulnerabilities?source=CTWNLE_nlt_security_2010-01-15

[Cobra]

First===http://forums.dlink.com/index.php?topic=10330.msg61858#msg61858

Second===there is a new beta released today.

http://forums.dlink.com/index.php?topic=10470.0

[stevebythebay]

Considering that the code you're pointing to is not officially supported, that doesn't qualify as far as I'm concerned. 

And it's not what the ComputerWorld article would suggest that D-Link is offering its users.

[Cobra]

Did you bother to read the first link?

Look at the full write up. It states what firmwares are actually effected.
1.20 for the 655? That OLD.
And it's 1.20EU not even a north american firmware.

That writeup is about OLD firmware and Europe not the USA.

Are you using newer than 1.20?

Are you in Europe?

[stevebythebay]

Actually the article http://www.sourcesec.com/Lab/dlink_hnap_captcha.pdf from SourceSec Security Research states:

"Affected Products

It is suspected that most, if not all, D-Link routers manufactured since 2006 have HNAP support and
are vulnerable to one of the below described vulnerabilities. However, only the following routers and
firmware versions have been confirmed to date:

1) DI-524 hardware version C1, firmware version 3.23
2) DIR-628 hardware version B2, firmware versions 1.20NA and 1.22NA
3) DIR-655 hardware version A1, firmware version 1.30EA"

While the ComputerWorld article says:

"D-Link and SourceSec differed over which models were vulnerable. SourceSec wrote that it suspected that all D-Link routers made since 2006 with HNAP support were affected, but they said they had not tested all of them.

D-Link said the models affected are the DIR-855 (version A2), DIR-655 (versions A1 to A4) and DIR-635 (version B). Three discontinued models -- DIR-615 (versions B1, B2 and B3), DIR-635 (version A) and DI-634M (version B1) -- are also affected.

The company said new firmware updates are being made available across its Web sites."

Clearly it would help if D-Link clears up the issue.

[Cobra]

Have you even tried to run the utility to see if you ARE in fact affected?

Before I upgraded to the latest beta I did run the utility and my router passed so I was not in any danger.

[stevebythebay]

I have not run any program, nor should I need to.  This is a simple case: either the hardware product, along with the shipped or updated firmware, fixes the problem or it does not, assuming of course that the problem truly exists. 

It would appear from the ComputerWorld article that D-Link has confirmed that a problem exists for 4 versions of the 655 hardware, though it is not clear as to firmware status.

It's up to D-Link to assess the product's vulnerabilities on an on-going basis, identify if fixes are really needed or not, and make necessary changes.  Most importantly to users, the company needs to adequately inform users of the facts as they understand them, provide direction/solutions, and communicate this all in a clear and effective manner.

This forum is not that means, and I wouldn't expect that from any company.  All I would hope is that some form of communication about the level of threat, short term protection (if any), and longer term plan for a fix be adequately communicated to registered users. 

I'm not looking for a product recall (as with some products like cars, ground beef, etc.) but a reasonable set of actions on their part.  This is simply good product support and will lead to both current customer satisfaction and the likelihood that customers will continue to buy products from D-Link.

[Cobra]

http://forums.dlink.com/index.php?topic=10330.0

[sesca]

Post any information regarding this topic to:
http://forums.dlink.com/index.php?topic=10458.0

Keeping the posts unified makes it easier to monitor than searching for multiple threads.