Today It’s 60K EoL D-Link Routers That Aren’t Getting Patches

No, It’s Not A Repeat.  Last Week Was 60K NAS Devices

Today in reasons to reconsider purchasing or recommending D-Link products, there are almost 60,000 D-Link DSL6740C routers that hit EoL at the beginning of this year with critical security flaws that will not be patched.  The only good news, if you can call it that, is that the devices were only ever sold overseas; Taiwan having the most devices.  The problem is that while the vulnerable devices may be located in Taiwan, once they are infected those that took advantage of EoL D-Link devices will not restrict their nefarious activities to that region.  There is also the fact that we would rather not see any TSMC employees fall victim to this attack.

The vulnerabilities include a 9.8 that allows an attacker to change the password of an existing account on the router, thus granting themselves as much access as they could ever want while simultaneously locking the owner out of their router.   There are two more, one allowing an unauthenticated user to gain far more details about the router than they ever should and one that lets someone with admin, probably thanks to the first bug, execute arbitrary commands via a special webpage.

It is unreasonable to expect companies to support their devices forever, however with devices that can cause serious havoc across the globe we need something better than a shrug from the manufacturers.  At least give them a way to patch themselves or apply something like DD-WRT to the devices.