Published in News

D-Link says sorry for being rubbish

by on21 April 2015


Router Security is pants

D-Link has said sorry to its customers for an on-going security issue with many of its routers.

There is a flaw in the Home Network Administration Protocol (HNAP) means that it is possible to bypass authorisation and run commands with escalated privileges.

There are shedloads of routers affected by the issue and D-Link has already issued one patch which did not work. Apparently a firmware patch is still being produced for a total of 17 routers. In the meantime, all D-Link has to offer is an apology.

The HNAP issue affects DIR-890L (A1), DIR-880L (A1), DIR-868L (A1), DIR-865L (A1), DIR-860L (B1), DIR-860L (A1), DIR-850L (B1), DIR-850L (A1), DIR-820LW (B1), DIR-818LW (A1), DIR-817LW (B1), DIR-816L (A1), DIR-815 (B1), DIR-600 (B1), DIR-300 (B1), DIR-629 (A1), and DAP-1522 (B1). The problem is listed on D-Link's support pages where it is described thusly:

All any attacker needs to do to gain access to the router sends an unprivileged HNAP command such as GetDeviceSettings, they append to the command an additional command separated with an "/", which is used as a separator between commands.
Any command(s) after the first will be executed unauthenticated. Additionally, additional commands will be passed directly to the underlying Linux system, allowing the injection of arbitrary system commands. The GetDeviceSettings HNAP Command is used to indicate some very common parameters (e.g. the domain name of the HNAP device), as well as to define which HNAP commands are available.

Some more patches were released yesterday, some are due today and the remainder on 24 April and more information can be found here.

In a statement, the company said that it "is deeply apologetic to any users affected by this issue" and advised users to change their admin password and implement a strong password policy.

Last modified on 21 April 2015
Rate this item
(3 votes)

Read more about: