Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability.
Most of the details about the bug are being kept under wraps given the potential for wide exploitation. The vendor hasn't assigned it a CVE identifier or really said much about it at all other than that it's a buffer overflow bug that leads to unauthenticated RCE.
This bug is so serious that the vendor is not releasing any details about it at all, because this will help the Bad Guys create exploits. There will not be a patch because all of these devices are End-Of-Life.
Affected devices (all hardware revisions) include:
DSR-150 (EOL May 2024)
DSR-150N (EOL May 2024)
DSR-250 (EOL May 2024)
DSR-250N (EOL May 2024)
DSR-500N (EOL September 2015)
DSR-1000N (EOL October 2015)
If you have one of these, you need to replace it.  Details are interesting (at the link) but the bottom line is: get shopping. 
 
 
 
4 comments:
Thank you!
Had a D-Link router I wasn't using - just threw it in the trash.
It doesn't cost them much to release a patch. Not doing so for millions of devices that just recently hit their arbitrary EOL date is just a transparent grift.
What are your thoughts on self-building a router?
Particularly as outlined here: https://wiki.futo.org/index.php/Introduction_to_a_Self_Managed_Life:_a_13_hour_%26_28_minute_presentation_by_FUTO_software#Why_Build_Your_Own_Router?
Post a Comment