• September 22, 2020, 02:48:18 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: 1 [2]

Author Topic: Security broken on dns-323  (Read 15581 times)

m3rs4

  • Level 1 Member
  • *
  • Posts: 2
Re: Security broken on dns-323
« Reply #15 on: October 22, 2008, 11:22:10 PM »

Thanks puterboy  for finding those issues involving security. I really think Dlink must patch those holes in the next firmware ASAP.  Whats the point of having a handful features such as NETWORK ACCESS LIST, USER or GROUP settings when a single http request can get around all that?
« Last Edit: October 22, 2008, 11:36:33 PM by m3rs4 »
Logged

hilaireg

  • Level 3 Member
  • ***
  • Posts: 348
Re: Security broken on dns-323
« Reply #16 on: October 23, 2008, 05:03:55 AM »

I'm going to assume the tests were done on f/w 1.05

I was able to reproduce the 'passwrd' vulnerability but was not able to reproduce the others mentioned in the post ... BTW: the 'passwrd' vulnerability doesn't appear to work on the DNS-343 f/w 1.02.

In order to assist D-Link, a steps-to-reproduce should be emailed to their support engineers - not posted on this forum.  This ensures that the knowledge on how to reproduce the vulnerability be provided to the engineers, QA testers for future f/w versions, and be kept as secret as possible to prevent it from being exploited by Trojans, Viruses, etc.  Additionally, wouldn't want the kiddies or guests staying over to stumble on this thread  ;)

I don't typically store any confidential information on any NAS - it's simply not best security practice to do so.  I'll let 'Google' provide supporting White Papers.  Just don't confuse NAS with SAN ;)

Additionally, I disable the options noted below to reduce the exposure:

- iTunes Server
- FTP Server
- UPnP

So at best, the only folks that can access the 'pulbic' data on the NAS are those on the private LAN or those who have been granted access over wireless.

Like others have posted, I prefer stable firmware releases over multiple releases - I've experienced many a f/w updates bricking a device to know that gradual roll-of f/w updates is the only way to go.

Cheers,

PS: Throw a Mac on your LAN and see how "secure" your LAN really is  ::)
Logged

fordem

  • Level 10 Member
  • *****
  • Posts: 2168
Re: Security broken on dns-323
« Reply #17 on: October 23, 2008, 05:46:40 AM »

Thanks puterboy  for finding those issues involving security. I really think Dlink must patch those holes in the next firmware ASAP.

Actually - those "vulnerabilities" have been known about for many months, long before 'puterboy came along - it would be interesting to find out if he dsicovered them on his own, or if he learned about them, the same way I did -  from someone else.  Search this forum, if you want to know when they were first mentioned.

Quote
Whats the point of having a handful features such as NETWORK ACCESS LIST, USER or GROUP settings when a single http request can get around all that?

Let me put it this way - if you hadn't read 'puterboy's expose, would you have been able to craft the "single http request" required to get around it?

And before people misunderstand where I'm coming from (AGAIN) - even with this security hole, the level of security provided is adequate for the environment in which the device is intended to be used - look at the difference between 'puterboy's post and hilaireg's post - one is alarmist and the other realistic - sure anyone with access to your local LAN can get access, but, WHO has access to your local LAN becomes the question - and in a residential and environment, most people with access to the local LAN also have physical access - anyone who wants to get you data needs only to pickup the DNS-323 and walk out with it.
Logged
RAID1 is for disk redundancy - NOT data backup - don't confuse the two.

mig

  • Level 3 Member
  • ***
  • Posts: 217
Re: Security broken on dns-323
« Reply #18 on: October 23, 2008, 09:35:38 AM »

Search this forum, if you want to know when they were first mentioned.
http://forums.dlink.com/index.php?topic=1820.0
Logged

ECF

  • Poweruser
  • Level 11 Member
  • *
  • Posts: 2692
Re: Security broken on dns-323
« Reply #19 on: October 23, 2008, 02:58:45 PM »

This issue will be patched in firmware 1.06.
« Last Edit: October 23, 2008, 03:26:54 PM by D-Link Multimedia »
Logged
Never forget that only dead fish swim with the stream
Pages: 1 [2]