January 18th, 2010
ZDNet and PCWorld have both run articles regarding our recent disclosure of the D-Link HNAP vulnerability. As with other postings and reports, there seems to be some confusion as to which routers and models are affected.
D-Link has made some statements that we’d like to offer rebuttals to, as we either suspect them to be incorrect or find them to be downright confusing. The below quotations are from the ZDNet article:
The model that D-Link said is not in the European market is DI-524 (C1). In addition, that model does not support HNAP, the company noted.
Yes, the DI-524 hardware version C1 does in fact support HNAP. It was one of the first D-Link routers to do so. Install the most recent firmware release (version 3.23). HNAP is clearly there and vulnerable.
The non-existent model is DIR-628 (B2), as only A hardware has ever been released for that device.
Correct, the DIR-628 hardware version B2 does not exist; that’s bad on us. The version we tested was actually A2 not B2 as we erroneously reported. I find it odd that D-Link doesn’t seem to have even tested their A-series DIR-628s though. If they had, they would have found that they were vulnerable.
Finally, model DIR-655 (A1, firmware 1.30EA) runs a restricted firmware version related to East Asia and therefore irrelevant for Europe.
There seems to be some expectation from D-Link and others that we have tested every firmware version for every D-Link router in existence. That is simply not possible for us to do. We tested three different D-Link routers with four different firmware versions that spanned a period of three years and two continents, and they were all vulnerable. But that is all that we have tested, and therefore all that we can confirm. Just because we didn’t test European firmware doesn’t mean that it is or isn’t vulnerable. It just means that we didn’t test it.
The networking company said on Monday that the problem, discovered by security researchers SourceSec, affects three of its wireless routers: DIR-855 (hardware version A2), DIR-655 (versions A1 to A4) and DIR-635 (version B).
Interestingly, D-Link told PCWorld that there were five routers affected: the DIR-855, DIR-655, DIR-635, DIR-615, and the DI-634.
Now, we know that the DI-524 and DIR-628 are vulnerable. We have also had reports that the DIR-300 is vulnerable (though we can’t confirm this). Yet D-Link does not mention any of them in their list of vulnerable routers. So are there three router models affected? Or five? Or more? Has D-Link performed comprehensive testing on their routers? Or are these just the ones that they’ve tested so far? I can assure you that the DIR-628 and DI-524 need to be added to this list; which others are missing?
In addition, just running the exploit code was not enough to compromise D-Link routers, it said. “It is important to note that running the code on its own is not sufficient to hack into the router: only the software tool provided seems to achieve this result,” said the D-Link statement.
OK, now I’m confused – running the code won’t hack the router, but running the software will? It’s a bash script: the code is the software (Einhorn is Finkle…Finkle is Einhorn…). Any piece of software that can make Web requests can be used to exploit the vulnerability. Web browser? Check. Netcat? Yup. Wget? Sure! Curl? Definitely! I’m not sure what D-Link is trying to say here.
And finally, there’s the inevitable passing of the buck:
“By publicising their tool, and giving specific instructions, the authors of the report have publicly outlined how the security can be breached, which could have had serious repercussions for our customers,” said the D-Link statement.
Yes, of course. It’s not D-Link’s fault for selling vulnerable routers to their customers. It’s obviously our fault for informing their customers of the vulnerability. Shame on us.