D-Link won't patch its older VPN routers, leaving critical vulnerability unaddressed

midian182

Posts: 11,708   +177
Staff member
A hot potato: D-Link is strongly recommending that users of its older VPN routers replace the devices following the discovery of a serious remote code execution (RCE) vulnerability. As the models have reached their end of life and end of support dates, they won't be patched to protect against the flaw.

The vulnerability, reported to D-Link by security researcher 'delsploit,' hasn't been assigned a CVE identifier. The technical details have not been revealed, either, giving customers time to react before cybercriminals start attempting to exploit it. We do know that it's a stack buffer overflow vulnerability, which allows unauthenticated users to execute remote code execution.

All hardware versions and firmware versions of the following devices have been affected:

  • DSR-150 (EOL May 2024)
  • DSR-150N (EOL May 2024)
  • DSR-250 (EOL May 2024)
  • DSR-250N (EOL May 2024)
  • DSR-500N (EOL September 2015)
  • DSR-1000N (EOL October 2015)

D-Link emphasizes that it will not be releasing patches for the four affected models as they have all reached EOL or EOS, most of them in May 2024 and a couple in 2015. The company writes that its general policy is that when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products ceases.

D-Link strongly recommends that owners of these routers upgrade to a newer model as any further use may be a risk to the devices connected to it.

The company is trying to placate those who might be annoyed at this by offering a 20% discount on a new service router (DSR-250v2), which is not affected by the vulnerability.

D-Link also notes that while third-party open-firmware is available for many of the affected devices, using it voids the warranty and is solely the responsibility of the device's owner.

This is the second time in a month that D-Link has confirmed it will not patch at-risk devices that have reached their end-of-life / end-of-service status. The Taiwanese firm recommended that owners of its discontinued NAS devices upgrade to newer models as they won't be patched to protect against a critical command injection flaw.

In 2022, the Cybersecurity & Infrastructure Security Agency (CISA) advised consumers to replace D-Link routers with an RCE vulnerability, as the devices had reached their end of life and would no longer receive patches.

Permalink to story:

 
Yeah, this fiasco is going to cost them far more than they'd save by not fixing their firmware. They probably already have developers on salary that can fix this so it's not like this is going to actually cost them any extra.
Exactly, plenty of companies will still fix majorly critical issues like this if its possible, even if a product is EOD purely because of the reputational issues it can cause otherwise - if its only a business product, then any updates for an EOL product can be ponied up for, but for normal consumer products, any big major vulnerabilities that can be patched should be patched
 
A stupid management decision that will cost them more in the long run than a minor, similar for all devices, code update would cost, likely only thousands. Enjoy future irreverence D-Link. You screwed up to save pocket change.
 
When I am deciding on hardware purchases in general, I very much DO look at reputation of how long an item is supported. Especially items that require firmware/software updates. And does it allow open-source access.

It would have been nice if this article had provided when the models were released and how long they were for sale.

As far as routers go, I only get models and brands that accept custom firmware. For example:

https://www.asuswrt-merlin.net/
 
When I am deciding on hardware purchases in general, I very much DO look at reputation of how long an item is supported. Especially items that require firmware/software updates. And does it allow open-source access.

It would have been nice if this article had provided when the models were released and how long they were for sale.

As far as routers go, I only get models and brands that accept custom firmware. For example:

https://www.asuswrt-merlin.net/
also https://openwrt.org/toh/views/toh_fwdownload?dataflt[0]=supported current rel_=23.05.5
 
Back