TechNews ED Media - Gadget

By Connor Jones, Wed 20 Nov 2024 // 14:32 UTC

Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability.

Most of the details about the bug are being kept under wraps given the potential for wide exploitation. The vendor hasn’t assigned it a CVE identifier or really said much about it at all other than that it’s a buffer overflow bug that leads to unauthenticated RCE.

Unauthenticated RCE issues are essentially as bad as vulnerabilities get, and D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk.

Previous bugs in similar products from other vendors have carried warnings that attackers could exploit them to install rootkits and use that persistent access to surveil an organization’s web traffic, potentially stealing data such as credentials.

Adversary-in-the-middle attacks are possible too, and attackers could also feasibly pivot to other connected devices to deploy ransomware, for example, although it should be said that D-Link hasn’t explicitly said any of this could be possible in this case specifically. We only mention it to give a flavor of how seriously this issue should be taken. Vendors don’t tend to issue retire-and-replace orders without good reason.

Apple confirms Intel Mac bug under active exploit

In other news, Apple released patches for a pair of exploited zero-day bugs affecting older Intel Macs this week. Google’s Threat Analysis Group (TAG) found that maliciously crafted web pages could in one case (CVE-2024-44308) lead to arbitrary code execution and a cross-site scripting attack in another (CVE-2024-44309).

The vulnerabilities lie in Apple’s WebKit browser engine. On Macs, this means Safari users are affected, and given that exploits have been spotted on Intel-based versions, upgrading to macOS Sequoia 15.1.1 is highly advised.

WebKit not only powers Safari, but all browsers that run on iPadOS, iOS, and visionOS – much to the dismay of the CMA. Chrome, Firefox, and others are all essentially reskinned Safaris here, meaning the WebKit issues affect all web browsers across all these non-Mac devices, so it appears Apple patched these for good measure too.

Given that all the affected devices went end of life (EOL) and/or end of support (EOS) at various times – most in May 2024 but some as far back as 2015 – D-Link won’t be issuing patches for any of them.

The vendor extended an olive branch to product owners in the form of a 20 percent discount on a new service router (DSR-250v2) that is not affected by the vulnerability. Affected devices (all hardware revisions) include:

DSR-150 (EOL May 2024)
DSR-150N (EOL May 2024)
DSR-250 (EOL May 2024)
DSR-250N (EOL May 2024)
DSR-500N (EOL September 2015)
DSR-1000N (EOL October 2015)

“Regardless of product type or US sales channel, D-Link’s general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease,” D-Link said in an advisory.

“D-Link US is prohibited to provide support for these EOL/EOS products, if you are outside the US, please contact your regional D-Link office,” it added. “If your device was provided by a licensed carrier (service provider) and firmware, please contact your carrier (service provider). Many devices on this list have available third-party open-firmware, D-Link does not support open-firmware which voids any warranty and is solely the responsibility of the device’s owner.”

In the meantime, product owners were also advised to regularly update each device’s unique password used to access its web management pane, while also ensuring Wi-Fi encryption is enabled. ®

Story from Theregister.com

Connor Jones

Connor is a cybersecurity journalist for The Register, reporting on what you need to know to keep your systems secure. Based in the UK, he has previously held positions ranging from news editor to staff writer.