D-Link tells users to trash old VPN routers over bug too dangerous to identify

Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability.

Most of the details about the bug are being kept under wraps given the potential for wide exploitation. The vendor hasn't assigned it a CVE identifier or really said much about it at all other than that it's a buffer overflow bug that leads to unauthenticated RCE.

Unauthenticated RCE issues are essentially as bad as vulnerabilities get, and D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk.

Previous bugs in similar products from other vendors have carried warnings that attackers could exploit them to install rootkits and use that persistent access to surveil an organization's web traffic, potentially stealing data such as credentials.

Adversary-in-the-middle attacks are possible too, and attackers could also feasibly pivot to other connected devices to deploy ransomware, for example, although it should be said that D-Link hasn't explicitly said any of this could be possible in this case specifically. We only mention it to give a flavor of how seriously this issue should be taken. Vendors don't tend to issue retire-and-replace orders without good reason.

• China-linked group abuses Fortinet 0-day with post-exploit VPN-credential stealer
• Citrix gives its Platform a polish with enhanced management tools
• Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble
• Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit

Given that all the affected devices went end of life (EOL) and/or end of support (EOS) at various times – most in May 2024 but some as far back as 2015 – D-Link won't be issuing patches for any of them.

The vendor extended an olive branch to product owners in the form of a 20 percent discount on a new service router (DSR-250v2) that is not affected by the vulnerability. Affected devices (all hardware revisions) include:

• DSR-150 (EOL May 2024)

• DSR-150N (EOL May 2024)

• DSR-250 (EOL May 2024)

• DSR-250N (EOL May 2024)

• DSR-500N (EOL September 2015)

• DSR-1000N (EOL October 2015)

"Regardless of product type or US sales channel, D-Link's general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products cease," D-Link said in an advisory.

"D-Link US is prohibited to provide support for these EOL/EOS products, if you are outside the US, please contact your regional D-Link office," it added. "If your device was provided by a licensed carrier (service provider) and firmware, please contact your carrier (service provider). Many devices on this list have available third-party open-firmware, D-Link does not support open-firmware which voids any warranty and is solely the responsibility of the device's owner."

In the meantime, product owners were also advised to regularly update each device's unique password used to access its web management pane, while also ensuring Wi-Fi encryption is enabled. ®